Microsoft-Windows-WinRM

327 events across 4 channels

Event	Title	Channel	Sample
2	Initializing WSMan API	Operational	Y
3	Initialization of WSMan API failed, error code errorCode.	Operational	N
4	Deinitializing WSMan API	Operational	Y
5	Deinitialization of WSMan API failed, error code errorCode.	Operational	N
6	Creating WSMan Session.	Operational	Y
7	WSMan Create Session operation failed, error code errorCode.	Operational	N
8	Closing WSMan Session	Operational	Y
9	Closing WSMan Session failed, error code errorCode.	Operational	N
10	Setting WSMan Session Option (optionCode) - optionName with value (optionValue) …	Operational	Y
11	Creating WSMan shell with the ResourceUri: resourceUri and ShellId: shellId.	Operational	Y
12	WSMan shell creation failed, error code errorCode.	Operational	Y
13	Running WSMan command with CommandId: commandId.	Operational	Y
14	Running WSMan command failed, error code errorCode.	Operational	N
15	Closing WSMan command	Operational	Y
16	Closing WSMan shell	Operational	Y
17	Signaling WSMan shell	Operational	N
18	Signaling WSMan shell; error code {errorCode}.	Operational	N
19	Closing WSMan operation	Operational	N
20	Sending input to the shell	Operational	N
21	Sending input operation failed; error code {errorCode}.	Operational	N
22	Calling into WSMan to receive output from the shell	Operational	N
23	WSMan receive operation failed; error code {errorCode}.	Operational	N
24	Calling into WSMan to receive output from the command	Operational	N
26	Getting message for error code {inputErrorCode} completed successfully.	Operational	N
27	Getting WSMan Session Option ({optionCode}).	Operational	N
28	Access Denied error: the apiCall API caller does not match the creator of the …	Operational	N
29	Initialization of WSMan API completed successfuly	Operational	Y
30	Deinitialization of WSMan API completed successfuly	Operational	Y
31	WSMan Create Session operation completed successfuly	Operational	Y
32	Setting WSMan Session Option (optionCode) - optionName failed, error code …	Operational	N
33	Closing WSMan Session completed successfuly	Operational	Y
34	Getting message for error code {inputErrorCode} failed; the resulting error code …	Operational	N
35	Signaling WSMan command failed; error code {errorCode}.	Operational	N
36	Signaling WSMan command	Operational	N
37	Closing WSMan shell failed, error code errorCode.	Operational	N
38	Closing WSMan command failed, error code errorCode.	Operational	N
39	Closing WSMan {operationName} operation completed successfully.	Operational	N
40	Closing WSMan operationName operation failed, error code errorCode.	Operational	N
41	The WinRM protocol handler has began loading for application applicationID.	Operational	Y
42	The WinRM protocol handler completed unloading.	Operational	Y
43	The WinRM protocol handler unloaded prematurely due to the following error: …	Operational	N
44	The WinRM protocol handler started to create a session at the following …	Operational	Y
45	The WinRM protocol handler closed the session.	Operational	Y
46	The WinRM protocol session closed prematurely due to the following error: …	Operational	N
47	The WinRM protocol session began an operation of type operationType to the …	Operational	Y
48	The WinRM protocol session successfully completed the operation.	Operational	Y
49	The WinRM protocol operation failed due to the following error: errorMessage.	Operational	Y
64	Auto-detecting proxy settings	Operational	N
65	Proxy AutoDetect done.	Operational	N
66	Setting proxy info Proxy list: {proxyList} Bypass list: {bypassList}.	Operational	N
80	Sending the request for operation {operationName} to destination machine and …	Operational	N
81	Processing client request for operation {operationName}.	Operational	N
82	Entering the plugin for operation {operation} with a ResourceURI of …	Operational	N
83	Leaving the plugin for operation {operation}.	Operational	N
84	The maximum number of users (users) executing shell operations has been …	Operational	N
85	The senderName user is allowed a maximum number of concurrentShells concurrent …	Operational	N
86	The WSMan service could not launch a host process to process the given request.	Operational	N
87	The WSMan host process was unexpectedly terminated.	Operational	Y
90	RunAs was disabled by Group Policy; WSMan service has erased all RunAs …	Operational	N
91	Creating WSMan shell on server with ResourceUri: resourceUri.	Operational	Y
129	Received the response from Network layer; status: {status}.	Operational	N
130	Received the response from Network layer; status: {status}.	Operational	N
131	Received redirect status code from Network layer; status: 302 …	Operational	N
132	WSMan operation operationName completed successfully.	Operational	Y
133	Sending response error packet for ActionURI: {actionUri}.	Operational	N
134	Sending response for operation {operationName}.	Operational	N
135	Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT, using next …	Operational	N
136	Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED, using …	Operational	N
137	Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot …	Operational	N
138	The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)	Operational	Y
139	The client got a login failure from the network layer …	Operational	N
140	Sending HTTP error back to the client due to a transport failure.	Operational	N
141	Sending timeout response for operation: {operationName}.	Operational	N
142	WSMan operation operationName failed, error code errorCode.	Operational	Y
143	Received the response from Network layer; status: 200 (HTTP_STATUS_OK)	Operational	N
145	WSMan operation operationName started with resourceUri resourceUri.	Operational	Y
160	Authenticating the user using {authentication} mechanism.	Operational	N
161	authFailureMessage.	Operational	Y
162	Authenticating the user failed.	Operational	Y
163	The authentication mechanism (authClient) requested by the client is not …	Operational	N
164	The destination computer (destinationMachine) returned an 'access denied' error.	Operational	N
165	The authentication mechanism requested by the proxy is not supported by the …	Operational	N
166	The chosen authentication mechanism is {auth}.	Operational	N
168	Sending HTTP 401 response to the client and disconnect the connection after …	Operational	N
169	Event ID 169	Operational	Y
170	The authentication using client certificate with subject {subject} done …	Operational	N
171	Authenticating the user with the proxy failed.	Operational	N
172	The server certificate on the destination computer (machineName:port) has the …	Operational	N
173	The WinRM service has terminated param1 unauthenticated connections over the …	Operational	N
192	The authorization of the user failed with error errorCode.	Operational	Y
193	Request for user param1 (param2) will be executed using WinRM virtual account …	Operational	Y
194	The authorization of the user failed with error {errorCode}.	Operational	N
208	The Winrm service is starting	Operational	Y
209	The Winrm service started successfully	Operational	Y
210	The WinRM service is unable to start because of a failure during initialization.	Operational	N
211	The Winrm service is stopping	Operational	Y
212	The Winrm service was stopped successfully	Operational	Y
213	The WSMan service could not load current configuration settings as the settings …	Operational	N
214	The WSMan client could not load current configuration settings as the settings …	Operational	N
215	The WSMan service failed to read configuration of the following plugin.	Operational	N
216	The WSMan service failed to restart the plugins marked for AutoRestart.	Operational	N
217	The WSMan service failed to restart the pluginName plugin on service startup.	Operational	N
218	The WSMan service successfully restarted the following plugin on service …	Operational	N
219	The WSMan shell instance param1 will no longer support disconnect reconnect …	Operational	N
224	message.	Operational	Y
229	The WinRM param1 failed to register for group policy change notifications.	Operational	N
230	Deletion of registry key param1 resulted in access denied.	Operational	N
254	Activity Transfer	Operational	Y
255	Activity Transfer	Analytic	Y
257	Initializing WSMan API	Analytic	N
258	Initialization of WSMan API failed; error code {errorCode}.	Analytic	N
259	Deinitializing WSMan API	Analytic	N
260	Deinitialization of WSMan API failed; error code {errorCode}.	Analytic	N
261	Creating WSMan Session.	Analytic	N
262	WSMan Create Session operation failed; error code {errorCode}.	Analytic	N
263	Closing WSMan Session	Analytic	N
264	Closing WSMan Session failed; error code {errorCode}.	Analytic	N
265	Setting WSMan Session Option ({optionCode}) with value ({optionValue}) completed …	Analytic	N
266	Creating WSMan shell with the ResourceUri: {resourceUri}.	Analytic	N
267	WSMan shell creation failed; error code {errorCode}.	Analytic	N
268	Running WSMan command	Analytic	N
269	Running WSMan command failed; error code {errorCode}.	Analytic	N
270	Closing WSMan command	Analytic	N
271	Closing WSMan shell	Analytic	N
272	Signaling WSMan shell	Analytic	N
273	Signaling WSMan shell; error code {errorCode}.	Analytic	N
274	Closing WSMan operation	Analytic	N
275	Sending input to the shell	Analytic	N
276	Sending input operation failed; error code {errorCode}.	Analytic	N
277	Calling into WSMan to receive output from the shell	Analytic	N
278	WSMan receive operation failed; error code {errorCode}.	Analytic	N
279	Calling into WSMan to receive output from the command	Analytic	N
280	Getting message for error code {inputErrorCode} completed successfully.	Analytic	N
281	Getting WSMan Session Option ({optionCode}).	Analytic	N
282	Access Denied error: the {apiCall} API caller does not match the creator of the …	Analytic	N
283	Plug-in reporting context for operation operationName.	Analytic	Y
284	Plug-in reporting data object for operation operationName.	Analytic	N
285	Plug-in reporting data object and EPR for operation operationName.	Analytic	N
286	Plug-in reporting data object and bookmark for operation operationName.	Analytic	N
287	Plug-in reporting data for operation Receive	Analytic	Y
288	Plug-in reporting operation complete for operationName.	Analytic	Y
289	Plug-in getting operational information for parameter parameters and operation …	Analytic	Y
290	Plug-in reporting the authorization for user username completed with error code …	Analytic	N
291	Plug-in reporting the authorization operation completed with error errorCode for …	Analytic	N
292	Updating the quota for the user username with error code errorCode.	Analytic	N
293	Initialization of WSMan API completed successfuly	Analytic	N
294	Deinitialization of WSMan API completed successfuly	Analytic	N
295	WSMan Create Session operation completed successfuly	Analytic	N
296	Setting WSMan Session Option ({optionCode}) failed; error code {errorCode}.	Analytic	N
297	Closing WSMan Session completed successfuly	Analytic	N
298	Getting message for error code {inputErrorCode} failed; the resulting error code …	Analytic	N
299	Signaling WSMan command failed; error code {errorCode}.	Analytic	N
300	Signaling WSMan command	Analytic	N
301	Closing WSMan shell failed; error code {errorCode}.	Analytic	N
302	Closing WSMan command failed; error code {errorCode}.	Analytic	N
303	Closing WSMan {operationName} operation completed successfully.	Analytic	N
304	Closing WSMan {operationName} operation failed; error code {errorCode}.	Analytic	N
305	Sending input to the command	Analytic	N
306	The WinRM service loaded the following plugin: provider (path).	Analytic	N
307	The WinRM service unloaded the following plugin: provider (path).	Analytic	N
308	The plugin called WSManPluginGetConfiguration with the parameter Flags and …	Analytic	N
309	The plugin called WSManPluginReportCompletion with the parameter Flags and …	Analytic	N
310	The plugin Plugin is being shut down because it was idle for longer than the …	Analytic	N
311	Signaling WSMan command failed, error code errorCode.	Analytic	N
312	Signaling WSMan command	Analytic	N
313	Sending input to the command	Analytic	N
314	Sending input to the shell	Analytic	N
315	Sending input operation failed, error code errorCode.	Analytic	N
316	Calling into WSMan to receive output from the shell	Analytic	N
317	WSMan receive operation failed, error code errorCode.	Analytic	N
318	Calling into WSMan to receive output from the command	Analytic	N
319	Getting message for error code inputErrorCode completed successfully.	Analytic	N
320	Getting WSMan Session Option (optionCode) - optionName.	Analytic	N
321	Signaling WSMan shell	Analytic	N
322	Signaling WSMan shell, error code errorCode.	Analytic	N
323	Closing WSMan operation	Analytic	N
324	Closing WSMan operationName operation completed successfully.	Analytic	N
325	Disconnecting shell with Id : argument.	Analytic	N
326	Disconnecting shell failed, error code errorCode.	Analytic	N
327	Reconnecting shell with Id : argument.	Analytic	N
328	Reconnecting shell failed, error code errorCode.	Analytic	N
329	Connecting shell with Id : argument.	Analytic	N
330	Connecting shell failed, error code errorCode.	Analytic	N
331	Reconnecting shell command with Id : argument.	Analytic	N
332	Reconnecting shell command failed, error code errorCode.	Analytic	N
333	Connecting shell command with Id : argument.	Analytic	N
334	Connecting shell command failed, error code errorCode.	Analytic	N
512	Auto-detecting proxy settings	Analytic	N
513	Proxy AutoDetect done.	Analytic	N
514	Setting proxy info.	Analytic	N
768	Processing client request for operation {operationName}.	Analytic	N
769	Entering the plugin for operation {operation} with a ResourceURI of …	Analytic	N
770	Leaving the plugin for operation {operation}.	Analytic	N
771	SOAP [client sending index index of totalChunks total chunks (bytes bytes)] …	Analytic	N
772	SOAP [listener receiving index index of totalChunks total chunks (bytes bytes)] …	Analytic	Y
773	The {senderName} user is allowed a maximum number of {concurrentShells} …	Analytic	N
774	The senderName user is allowed a maximum number of concurrentOperations …	Analytic	N
775	The user load quota of requests requests per windowTime seconds has been …	Analytic	N
776	The system load quota of requests requests per windowTime seconds has been …	Analytic	N
777	The maximum number of users ({users}) executing shell operations has been …	Analytic	N
778	Sending the request for operation {operationName} to destination machine and …	Analytic	N
779	SOAP [client sending index index of totalChunks total chunks (bytes bytes)] …	Analytic	N
780	The WinRM param1 has encountered network connectivity issues.	Analytic	N
781	The WinRM Client is attempting to re-establish a network connection.	Analytic	N
782	The WinRM Service has detected a new network connection from the client.	Analytic	N
783	The WinRM param1 has successfully re-established a network connection.	Analytic	N
784	The WinRM param1 failed to re-establish a network connection and is reporting a …	Analytic	N
785	The WSMan host process was started for user userName.	Analytic	N
786	The WSMan host process was terminated for user userName.	Analytic	N
787	Sending the request for operation operationName to destination machine and port …	Analytic	N
788	Processing client request for operation operationName.	Analytic	Y
789	Entering the plugin for operation operation with a ResourceURI of <resourceURI>.	Analytic	Y
790	Leaving the plugin for operation operation.	Analytic	Y
791	The WinRM service failed to enumerate DASH/SMASH specifications with MI error: …	Analytic	N
1024	Sending response for operation {operationName}.	Analytic	N
1025	Sending response error packet for ActionURI: actionUri.	Analytic	N
1026	SOAP [client receiving index index of totalChunks total chunks (bytes bytes)] …	Analytic	N
1027	SOAP [listener sending index index of totalChunks total chunks (bytes bytes)] …	Analytic	N
1028	Received the response from Network layer; status: {status}.	Analytic	N
1029	Received the response from Network layer; status: {status}.	Analytic	N
1030	Received redirect status code from Network layer; status: 302 …	Analytic	N
1031	WSMan operation {operationName} completed successfully.	Analytic	N
1032	Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT; using next …	Analytic	N
1033	Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED; using …	Analytic	N
1034	Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot …	Analytic	N
1035	The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)	Analytic	N
1036	The client got a login failure from the network layer …	Analytic	N
1037	The WSMan service could not launch a host process to process the given request.	Analytic	N
1038	The WSMan host process was unexpectedly terminated.	Analytic	N
1039	Sending HTTP error back to the client due to a transport failure.	Analytic	N
1040	Sending timeout response for operation: {operationName}.	Analytic	N
1041	Enumeration is shutting down	Analytic	N
1042	WSMan operation {operationName} failed; error code {errorCode}.	Analytic	N
1043	Subscription is shutting down	Analytic	N
1044	SOAP [listener sending index index of totalChunks total chunks (bytes bytes)] …	Analytic	Y
1045	Received the response from Network layer; status: 200 (HTTP_STATUS_OK)	Analytic	N
1046	An extended semantics callback timed out for the operationName operation.	Analytic	N
1047	Received the response from Network layer; status: status.	Analytic	N
1048	Sending HTTP error back to the client due to a transport failure.	Analytic	N
1049	Sending timeout response for operation: operationName.	Analytic	N
1050	Sending response for operation operationName.	Analytic	Y
1051	Received the response from Network layer; status: status.	Analytic	N
1052	WSMan operation operationName completed successfully.	Analytic	N
1053	WSMan operation operationName got suspended because of WSMan Shell …	Analytic	N
1054	WSMan operation operationName resuming because of WSMan Shell reconnection.	Analytic	N
1280	Sending HTTP 401 response to the client and disconnect the connection after …	Analytic	N
1281	User {username} authenticated successfully using {authenticationMechanism} …	Analytic	N
1282	The authentication using client certificate with subject {subject} done …	Analytic	N
1283	Authenticating the user using {authentication} mechanism.	Analytic	N
1285	Authenticating the user failed.	Analytic	N
1286	The authentication mechanism ({authClient}) requested by the client is not …	Analytic	N
1287	The destination computer ({destinationMachine}) returned an 'access denied' …	Analytic	N
1288	The authentication mechanism requested by the proxy is not supported by the …	Analytic	N
1289	The chosen authentication mechanism is {auth}.	Analytic	N
1291	Network layer AutoLogon policy was set to Low as a result of a HTTP 401 response …	Analytic	N
1292	Network layer AutoLogon policy was set to High	Analytic	N
1293	The chosen authentication mechanism is auth.	Analytic	N
1294	Sending HTTP 401 response to the client and disconnect the connection after …	Analytic	N
1295	User username authenticated successfully using authenticationMechanism …	Analytic	N
1296	The authentication using client certificate with subject subject done …	Analytic	N
1297	Authenticating the user using authentication mechanism.	Analytic	N
1536	Authorizing the user	Analytic	Y
1537	The authorization of the user was done successfully	Analytic	N
1538	The authorization of the user failed with error {errorCode}.	Analytic	N
1792	The Winrm service is starting	Analytic	N
1793	The Winrm service started successfully	Analytic	N
1794	The WinRM service is unable to start because of a failure during initialization.	Analytic	N
1795	The Winrm service is stopping	Analytic	N
1796	The Winrm service was stopped successfully	Analytic	N
1797	The WSMan service could not load current configuration settings as the settings …	Analytic	N
1798	The WSMan client could not load current configuration settings as the settings …	Analytic	N
1799	The WSMan service failed to read configuration of the following plugin: …	Analytic	N
1808	Event ID 1808	Analytic	N
1840	An error was encountered while processing an operation.	Analytic	N
1841	An error was encountered while processing an operation.	Analytic	N
1842	Extra information.	Analytic	N
1843	An unauthenticated connection from client clientIP is terminated.	Analytic	N
2048	[Filename:- param1; Line:- param2; Function:- param3;] param4.	Debug	N
2049	[Filename:- param1; Line:- param2; Function:- param3; ErrorCode:- param4] …	Debug	N
10111	User authentication using Basic authentication scheme failed.	System	Y
10148	The WinRM service is listening for WS-Management requests	System	Y
10149	The WinRM service is not listening for WS-Management requests	System	Y
10154	The WinRM service failed to create the following SPNs: spn1;	System	Y
468853	The WinRM service is not listening for requests since it failed to listen on at …	Operational	N
468854	The WinRM service is not listening for param1 requests because there was a …	Operational	N
468855	The WS-Management client is not listening for pushed events because there was a …	Operational	N
468856	The WinRM service is not listening for HTTPS requests because there was a …	Operational	N
468857	The WS-Management client is not listening for pushed events because there was a …	Operational	N
468862	The WinRM service cannot validate the client certificate because the revocation …	Operational	N
468863	User authentication using Basic authentication scheme failed.	Operational	N
468864	The client certificate exceeded the maximum size allowed by the WinRM service.	Operational	N
468865	Request processing failed because the WinRM service cannot load data or event …	Operational	N
468866	The SSL configuration for IP param1 and port param2 is shared with another …	Operational	N
468871	The WinRM service is unable to start because of a failure during initialization.	Operational	N
468872	The WinRM service has received an unsecure HTTP connection from param1.	Operational	N
468873	The WinRM service has been configured to accept basic authentication for …	Operational	N
468880	The WinRM service is not listening for HTTP requests because there was a failure …	Operational	N
468881	The WS-Management client is not listening for pushed events because there was a …	Operational	N
468882	IP Filter param1 specified in the GPO policy for Auto Configuration of listeners …	Operational	N
468883	The IP Range param1 is invalid and it will be ignored.	Operational	N
468884	The WinRM service is not listening for policy changes because there was a …	Operational	N
468888	The WinRM service encountered a catastrophic security failure.	Operational	N
468889	The WinRM service cannot migrate the listener with IP address param1 and Port …	Operational	N
468890	The WinRM service cannot migrate the listener with Address param1 and Transport …	Operational	N
468891	The WinRM service cannot migrate the listener with IP address param1 and Port …	Operational	N
468892	The WinRM service cannot migrate the listener with Address param1 and Transport …	Operational	N
468893	The WinRM service cannot migrate the listener with IP address param1, Port …	Operational	N
468894	The WinRM service cannot migrate the listener with Address param1 and Transport …	Operational	N
468895	The WinRM service had a failure during migration.	Operational	N
468896	The WinRM service had a failure reading the current configuration and is …	Operational	N
468897	The WinRM service had a failure applying the current configuration and is …	Operational	N
468898	The WinRM service had a failure reading the current configuration and is …	Operational	N
468899	The host name pattern "param1" is invalid and it will be ignored.	Operational	N
468900	The WinRM service is listening for WS-Management requests.	Operational	Y
468901	The WinRM service is not listening for WS-Management requests.	Operational	Y
468902	The WinRM service could not use the following listener to receive WS-Management …	Operational	N
468903	The WinRM service had a failure (param1) reading configuration during ip address …	Operational	N
468904	The WinRM service successfully processed an address change notification.	Operational	N
468905	The WSMan IIS module failed to read configuration.	Operational	N
468906	The WinRM service failed to create the following SPNs: spn1; spn2.	Operational	Y
468907	The WSMan service failed to read configuration of the following plugin.	Operational	N
468908	The WinRM service failed to initialize CredSSP.	Operational	N
468909	The WinRM service received an error while trying to unloading a data or event …	Operational	N
468910	The WinRM service is listening on the default param1 port param2 and on param1 …	Operational	N
468911	The WinRM service has terminated param1 unauthenticated connections over the …	Operational	N
3221734403	The WinRM service is stopping because there was a failure registering for …	Operational	N
3221734404	The WinRM service is stopping because there was a failure registering for …	Operational	N

Event ID 2: Initializing WSMan API

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIInitialize
Opcode: Start

Description

Initializing WSMan API.

Message #

Initializing WSMan API

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:21:29.458003+00:00",
    "event_record_id": 96,
    "correlation": {
      "ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4780
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3: Initialization of WSMan API failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManAPIInitialize
Opcode: Stop

Description

Initialization of WSMan API failed, error code errorCode.

Message #

Initialization of WSMan API failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 4: Deinitializing WSMan API

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIDeinitialize
Opcode: Start

Description

Deinitializing WSMan API.

Message #

Deinitializing WSMan API

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 4,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2025-12-31T19:35:53.792427+00:00",
    "event_record_id": 379,
    "correlation": {
      "ActivityID": "448C0251-84E6-4F2F-9CCC-D1000CB02549"
    },
    "execution": {
      "process_id": 5364,
      "thread_id": 5972
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 5: Deinitialization of WSMan API failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManAPIDeinitialize
Opcode: Stop

Description

Deinitialization of WSMan API failed, error code errorCode.

Message #

Deinitialization of WSMan API failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 6: Creating WSMan Session.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManSessioninitialize
Opcode: Start

Description

Creating WSMan Session. The connection string is: connection.

Message #

Creating WSMan Session. The connection string is: %1

Fields #

Name	Description
`connection` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 6,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:21:29.465878+00:00",
    "event_record_id": 98,
    "correlation": {
      "ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4780
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "connection": "localhost:47001/WSMan?MSP=7a83d074-bb86-4e52-aa3e-6cc73cc066c8;PSVersion=5.1.20348.617"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/winrm/events
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7: WSMan Create Session operation failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManSessioninitialize
Opcode: Stop

Description

WSMan Create Session operation failed, error code errorCode.

Message #

WSMan Create Session operation failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 8: Closing WSMan Session

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManSessiondeinitialize
Opcode: Start

Description

Closing WSMan Session.

Message #

Closing WSMan Session

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 8,
    "version": 0,
    "level": 4,
    "task": 4,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2025-12-31T19:35:53.790604+00:00",
    "event_record_id": 378,
    "correlation": {
      "ActivityID": "448C0251-84E6-4F2F-9CCC-D1000CB02549"
    },
    "execution": {
      "process_id": 5364,
      "thread_id": 5944
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 9: Closing WSMan Session failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManSessiondeinitialize
Opcode: Stop

Description

Closing WSMan Session failed, error code errorCode.

Message #

Closing WSMan Session failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 10: Setting WSMan Session Option (optionCode) - optionName with value (optionValue) completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIcall

Description

Setting WSMan Session Option (optionCode) - optionName with value (optionValue) completed successfully.

Message #

Setting WSMan Session Option (%1) - %2 with value (%3) completed successfully.

Fields #

Name	Description
`optionCode` UInt32
`optionName` UnicodeString
`optionValue` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 10,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:21:29.476896+00:00",
    "event_record_id": 106,
    "correlation": {
      "ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4780
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "optionCode": 16,
    "optionName": "WSMAN_OPTION_TIMEOUTMS_SIGNAL_SHELL",
    "optionValue": "60000"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 11: Creating WSMan shell with the ResourceUri: resourceUri and ShellId: shellId.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIcall
Opcode: Start

Description

Creating WSMan shell with the ResourceUri: resourceUri and ShellId: shellId.

Message #

Creating WSMan shell with the ResourceUri: %1 and ShellId: %2

Fields #

Name	Description
`resourceUri` UnicodeString
`shellId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 11,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:21:29.628784+00:00",
    "event_record_id": 107,
    "correlation": {
      "ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4780
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "resourceUri": "http://schemas.microsoft.com/powershell/Microsoft.Windows.ServerManagerWorkflows",
    "shellId": "1480B89F-E871-42E4-BFB4-C8F88B053137"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 12: WSMan shell creation failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Error
Task: WSManAPIcall
Opcode: Stop

Description

WSMan shell creation failed, error code errorCode.

Message #

WSMan shell creation failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 12,
    "version": 0,
    "level": 2,
    "task": 5,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2026-03-13T19:30:27.006555+00:00",
    "event_record_id": 14808,
    "correlation": {
      "ActivityID": "FAA0C715-5567-44CF-A321-805CC6FC7AE4"
    },
    "execution": {
      "process_id": 4488,
      "thread_id": 4272
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "errorCode": 2150859195
  },
  "message": ""
}

Event ID 13: Running WSMan command with CommandId: commandId.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIcall
Opcode: Start

Description

Running WSMan command with CommandId: commandId.

Message #

Running WSMan command with CommandId: %1

Fields #

Name	Description
`commandId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 13,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:21:40.298938+00:00",
    "event_record_id": 111,
    "correlation": {
      "ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4100
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "commandId": "69F6EC7D-1A5C-485B-B375-C500E469097C"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 14: Running WSMan command failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManAPIcall
Opcode: Stop

Description

Running WSMan command failed, error code errorCode.

Message #

Running WSMan command failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 15: Closing WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIcall
Opcode: Start

Description

Closing WSMan command.

Message #

Closing WSMan command

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 15,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:21:43.025520+00:00",
    "event_record_id": 112,
    "correlation": {
      "ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 940
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 16: Closing WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIcall
Opcode: Start

Description

Closing WSMan shell.

Message #

Closing WSMan shell

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 16,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T08:14:07.049150+00:00",
    "event_record_id": 63,
    "correlation": {
      "ActivityID": "DD7B0B6A-4A9E-0001-93A4-7BDD9E4AD801"
    },
    "execution": {
      "process_id": 1460,
      "thread_id": 3116
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 17: Signaling WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Signaling WSMan shell.

Message #

Signaling WSMan shell

Event ID 18: Signaling WSMan shell; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Signaling WSMan shell; error code {errorCode}.

Message #

Signaling WSMan shell; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 19: Closing WSMan operation

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Closing WSMan operation.

Message #

Closing WSMan operation

Event ID 20: Sending input to the shell

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Sending input to the shell.

Message #

Sending input to the shell

Event ID 21: Sending input operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Sending input operation failed; error code {errorCode}.

Message #

Sending input operation failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 22: Calling into WSMan to receive output from the shell

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Calling into WSMan to receive output from the shell.

Message #

Calling into WSMan to receive output from the shell

Event ID 23: WSMan receive operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

WSMan receive operation failed; error code {errorCode}.

Message #

WSMan receive operation failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 24: Calling into WSMan to receive output from the command

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Calling into WSMan to receive output from the command.

Message #

Calling into WSMan to receive output from the command

Event ID 26: Getting message for error code {inputErrorCode} completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Getting message for error code {inputErrorCode} completed successfully. The languageCode parameter was: {languageCode}.

Message #

Getting message for error code {inputErrorCode} completed successfully. The languageCode parameter was: {languageCode}

Fields #

Name	Description
`inputErrorCode`
`languageCode`

Event ID 27: Getting WSMan Session Option ({optionCode}).

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Getting WSMan Session Option ({optionCode}).

Message #

Getting WSMan Session Option ({optionCode})

Fields #

Name	Description
`optionCode`

Event ID 28: Access Denied error: the apiCall API caller does not match the creator of the application object.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManAPIcall
Opcode: Stop

Description

Access Denied error: the apiCall API caller does not match the creator of the application object.

Message #

Access Denied error: the %1 API caller does not match the creator of the application object

Fields #

Name	Description
`apiCall` UnicodeString

Event ID 29: Initialization of WSMan API completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIInitialize
Opcode: Stop

Description

Initialization of WSMan API completed successfuly.

Message #

Initialization of WSMan API completed successfuly

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 29,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:21:29.458595+00:00",
    "event_record_id": 97,
    "correlation": {
      "ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4780
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 30: Deinitialization of WSMan API completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIDeinitialize
Opcode: Stop

Description

Deinitialization of WSMan API completed successfuly.

Message #

Deinitialization of WSMan API completed successfuly

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 30,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2025-12-31T19:35:53.857484+00:00",
    "event_record_id": 396,
    "correlation": {
      "ActivityID": "448C0251-84E6-4F2F-9CCC-D1000CB02549"
    },
    "execution": {
      "process_id": 5364,
      "thread_id": 5972
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 31: WSMan Create Session operation completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManSessioninitialize
Opcode: Stop

Description

WSMan Create Session operation completed successfuly.

Message #

WSMan Create Session operation completed successfuly

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 31,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:21:29.472808+00:00",
    "event_record_id": 99,
    "correlation": {
      "ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4780
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 32: Setting WSMan Session Option (optionCode) - optionName failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManAPIcall

Description

Setting WSMan Session Option (optionCode) - optionName failed, error code errorCode.

Message #

Setting WSMan Session Option (%1) - %2 failed, error code %3.

Fields #

Name	Description
`optionCode` UInt32
`optionName` UnicodeString
`errorCode` UInt32

Event ID 33: Closing WSMan Session completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManSessiondeinitialize
Opcode: Stop

Description

Closing WSMan Session completed successfuly.

Message #

Closing WSMan Session completed successfuly

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 33,
    "version": 0,
    "level": 4,
    "task": 4,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2025-12-31T19:35:53.857495+00:00",
    "event_record_id": 397,
    "correlation": {
      "ActivityID": "448C0251-84E6-4F2F-9CCC-D1000CB02549"
    },
    "execution": {
      "process_id": 5364,
      "thread_id": 5944
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 34: Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}.

Message #

Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}

Fields #

Name	Description
`inputErrorCode`
`errorCode`

Event ID 35: Signaling WSMan command failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Signaling WSMan command failed; error code {errorCode}.

Message #

Signaling WSMan command failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 36: Signaling WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Signaling WSMan command.

Message #

Signaling WSMan command

Event ID 37: Closing WSMan shell failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManAPIcall
Opcode: Stop

Description

Closing WSMan shell failed, error code errorCode.

Message #

Closing WSMan shell failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 38: Closing WSMan command failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManAPIcall
Opcode: Stop

Description

Closing WSMan command failed, error code errorCode.

Message #

Closing WSMan command failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 39: Closing WSMan {operationName} operation completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Closing WSMan {operationName} operation completed successfully.

Message #

Closing WSMan {operationName} operation completed successfully

Fields #

Name	Description
`operationName`

Event ID 40: Closing WSMan operationName operation failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WSManAPIcall
Opcode: Stop

Description

Closing WSMan operationName operation failed, error code errorCode.

Message #

Closing WSMan %1 operation failed, error code %2

Fields #

Name	Description
`operationName` UnicodeString
`errorCode` UInt32

Event ID 41: The WinRM protocol handler has began loading for application applicationID.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WinRMMIProtocolHandler
Opcode: Start

Description

The WinRM protocol handler has began loading for application applicationID.

Message #

The WinRM protocol handler has began loading for application %1.

Fields #

Name	Description
`applicationID` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 41,
    "version": 0,
    "level": 4,
    "task": 14,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:21:54.064765+00:00",
    "event_record_id": 113,
    "correlation": {
      "ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4780
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "applicationID": "ServerManager.exe"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 42: The WinRM protocol handler completed unloading.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WinRMMIProtocolHandler
Opcode: Stop

Description

The WinRM protocol handler completed unloading.

Message #

The WinRM protocol handler completed unloading.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 42,
    "version": 0,
    "level": 4,
    "task": 14,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2026-03-13T16:57:49.982619+00:00",
    "event_record_id": 1760,
    "correlation": {
      "ActivityID": "028C3802-AD9E-000D-4C43-8D029EADDC01"
    },
    "execution": {
      "process_id": 8788,
      "thread_id": 10176
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 43: The WinRM protocol handler unloaded prematurely due to the following error: errorMessage.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WinRMMIProtocolHandler
Opcode: Stop

Description

The WinRM protocol handler unloaded prematurely due to the following error: errorMessage.

Message #

The WinRM protocol handler unloaded prematurely due to the following error: %2.

Fields #

Name	Description
`errorCode` UInt32
`errorMessage` UnicodeString

Event ID 44: The WinRM protocol handler started to create a session at the following destination: destination.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WinRMMISession
Opcode: Start

Description

The WinRM protocol handler started to create a session at the following destination: destination.

Message #

The WinRM protocol handler started to create a session at the following destination: %1.

Fields #

Name	Description
`destination` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 44,
    "version": 0,
    "level": 4,
    "task": 15,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:38:36.208888+00:00",
    "event_record_id": 276,
    "correlation": {},
    "execution": {
      "process_id": 4444,
      "thread_id": 2008
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "destination": "<local>"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 45: The WinRM protocol handler closed the session.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WinRMMISession
Opcode: Stop

Description

The WinRM protocol handler closed the session.

Message #

The WinRM protocol handler closed the session.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 45,
    "version": 0,
    "level": 4,
    "task": 15,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:38:36.283057+00:00",
    "event_record_id": 283,
    "correlation": {},
    "execution": {
      "process_id": 4444,
      "thread_id": 4432
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 46: The WinRM protocol session closed prematurely due to the following error: errorMessage.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: WinRMMISession
Opcode: Stop

Description

The WinRM protocol session closed prematurely due to the following error: errorMessage.

Message #

The WinRM protocol session closed prematurely due to the following error: %2.

Fields #

Name	Description
`errorCode` UInt32
`errorMessage` UnicodeString

Event ID 47: The WinRM protocol session began an operation of type operationType to the server.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WinRMMIOperation
Opcode: Start

Description

The WinRM protocol session began an operation of type operationType to the server. The operation accesses class className under the namespaceName namespace.

Message #

The WinRM protocol session began an operation of type %1 to the server. The operation accesses class %3 under the %2 namespace.

Fields #

Name	Description
`operationType` UnicodeString
`namespaceName` UnicodeString
`className` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 47,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:38:36.268345+00:00",
    "event_record_id": 278,
    "correlation": {
      "ActivityID": "E0AAB88C-4A9F-0001-B210-ABE09F4AD801"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4432
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "operationType": "GetClass",
    "namespaceName": "root/microsoft/windows/smb",
    "className": "MSFT_SmbServerConfiguration"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 48: The WinRM protocol session successfully completed the operation.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WinRMMIOperation
Opcode: Stop

Description

The WinRM protocol session successfully completed the operation.

Message #

The WinRM protocol session successfully completed the operation.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 48,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:38:36.278922+00:00",
    "event_record_id": 281,
    "correlation": {
      "ActivityID": "E0AAB88C-4A9F-0001-B210-ABE09F4AD801"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4432
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 49: The WinRM protocol operation failed due to the following error: errorMessage.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Error
Task: WinRMMIOperation
Opcode: Stop

Description

The WinRM protocol operation failed due to the following error: errorMessage.

Message #

The WinRM protocol operation failed due to the following error: %2.

Fields #

Name	Description
`errorCode` UInt32
`errorMessage` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 49,
    "version": 0,
    "level": 2,
    "task": 16,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2026-03-13T16:57:49.042601+00:00",
    "event_record_id": 1757,
    "correlation": {
      "ActivityID": "028C3802-AD9E-000D-4C43-8D029EADDC01"
    },
    "execution": {
      "process_id": 8788,
      "thread_id": 9388
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "errorCode": 2150859195,
    "errorMessage": "The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config."
  },
  "message": ""
}

Event ID 64: Auto-detecting proxy settings

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Auto-detecting proxy settings.

Message #

Auto-detecting proxy settings

Event ID 65: Proxy AutoDetect done.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Proxy AutoDetect done.Proxy list: {proxyList} Bypass list: {bypassList}.

Message #

Proxy AutoDetect done.Proxy list: {proxyList} Bypass list: {bypassList}

Fields #

Name	Description
`proxyList`
`bypassList`

Event ID 66: Setting proxy info Proxy list: {proxyList} Bypass list: {bypassList}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Setting proxy info Proxy list: {proxyList} Bypass list: {bypassList}.

Message #

Setting proxy info  Proxy list: {proxyList}  Bypass list: {bypassList}

Fields #

Name	Description
`proxyList`
`bypassList`

Event ID 80: Sending the request for operation {operationName} to destination machine and port {url}:{port}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Sending the request for operation {operationName} to destination machine and port {url}:{port}.

Message #

Sending the request for operation {operationName} to destination machine and port {url}:{port}

Fields #

Name	Description
`operationName`
`url`
`port`

Event ID 81: Processing client request for operation {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Processing client request for operation {operationName}.

Message #

Processing client request for operation {operationName}

Fields #

Name	Description
`operationName`

Event ID 82: Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>.

Message #

Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>

Fields #

Name	Description
`operation`
`resourceURI`

Event ID 83: Leaving the plugin for operation {operation}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Leaving the plugin for operation {operation}.

Message #

Leaving the plugin for operation {operation}

Fields #

Name	Description
`operation`

Event ID 84: The maximum number of users (users) executing shell operations has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Requesthandling

Description

The maximum number of users (users) executing shell operations has been exceeded.

Message #

The maximum number of users (%1) executing shell operations has been exceeded.
Retry after sometime or raise the quota for concurrent shell users.

Fields #

Name	Description
`users` UInt32

Event ID 85: The senderName user is allowed a maximum number of concurrentShells concurrent shells, which has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Requesthandling

Description

The senderName user is allowed a maximum number of concurrentShells concurrent shells, which has been exceeded.

Message #

The %1 user is allowed a maximum number of %2 concurrent shells, which has been exceeded.
Close existing shells or raise the quota for this user.

Fields #

Name	Description
`senderName` UnicodeString
`concurrentShells` UInt32

Event ID 86: The WSMan service could not launch a host process to process the given request.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Requesthandling

Description

The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. Error code errorCode.

Message #

The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. Error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 87: The WSMan host process was unexpectedly terminated.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Error
Task: Requesthandling

Description

The WSMan host process was unexpectedly terminated. Error code errorCode.

Message #

The WSMan host process was unexpectedly terminated. Error code %1

Fields #

Name	Description
`errorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 87,
    "version": 0,
    "level": 2,
    "task": 9,
    "opcode": 0,
    "keywords": 4611686018427387908,
    "time_created": "2022-04-07T08:14:06.985298+00:00",
    "event_record_id": 62,
    "correlation": {
      "ActivityID": "DD7B0B6A-4A9E-0000-F00E-7BDD9E4AD801"
    },
    "execution": {
      "process_id": 2576,
      "thread_id": 4764
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "errorCode": 1726
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 90: RunAs was disabled by Group Policy; WSMan service has erased all RunAs credentials.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Requesthandling

Description

RunAs was disabled by Group Policy; WSMan service has erased all RunAs credentials.

Message #

RunAs was disabled by Group Policy; WSMan service has erased all RunAs credentials.

Event ID 91: Creating WSMan shell on server with ResourceUri: resourceUri.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: Requesthandling

Description

Creating WSMan shell on server with ResourceUri: resourceUri.

Message #

Creating WSMan shell on server with ResourceUri: %1

Fields #

Name	Description
`resourceUri` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 91,
    "version": 0,
    "level": 4,
    "task": 9,
    "opcode": 0,
    "keywords": 4611686018427387908,
    "time_created": "2026-06-13T14:08:50.8998983+00:00",
    "event_record_id": 2400,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0004-CD20-82C688EFDC01}"
    },
    "execution": {
      "process_id": 1152,
      "thread_id": 8080
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "resourceUri": "http://schemas.microsoft.com/powershell/Microsoft.PowerShell"
  },
  "message": "Creating WSMan shell on server with ResourceUri: http://schemas.microsoft.com/powershell/Microsoft.PowerShell"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/winrm/events

Event ID 129: Received the response from Network layer; status: {status}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Received the response from Network layer; status: {status}.

Message #

Received the response from Network layer; status: {status}

Fields #

Name	Description
`status`	NTSTATUS reference

Event ID 130: Received the response from Network layer; status: {status}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Received the response from Network layer; status: {status}.

Message #

Received the response from Network layer; status: {status}

Fields #

Name	Description
`status`	NTSTATUS reference

Event ID 131: Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: location.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Responsehandling

Description

Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: location.

Message #

Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: %1

Fields #

Name	Description
`location` UnicodeString

Event ID 132: WSMan operation operationName completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: Responsehandling
Opcode: Stop

Description

WSMan operation operationName completed successfully.

Message #

WSMan operation %1 completed successfully

Fields #

Name	Description
`operationName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 132,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2026-05-29T11:33:36.3971896+00:00",
    "event_record_id": 2389,
    "correlation": {
      "ActivityID": "{1C0E3E7D-EF0B-0006-A053-0E1C0BEFDC01}"
    },
    "execution": {
      "process_id": 1876,
      "thread_id": 1444
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
    }
  },
  "event_data": {
    "operationName": "Put"
  },
  "message": "WSMan operation Put completed successfully"
}

Event ID 133: Sending response error packet for ActionURI: {actionUri}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Sending response error packet for ActionURI: {actionUri}.

Message #

Sending response error packet for ActionURI: {actionUri}

Fields #

Name	Description
`actionUri`

Event ID 134: Sending response for operation {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Sending response for operation {operationName}.

Message #

Sending response for operation {operationName}

Fields #

Name	Description
`operationName`

Event ID 135: Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT, using next proxy

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Responsehandling

Description

Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT, using next proxy.

Message #

Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT, using next proxy

Event ID 136: Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED, using next proxy

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Responsehandling

Description

Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED, using next proxy.

Message #

Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED, using next proxy

Event ID 137: Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Responsehandling

Description

Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved. Aborting the operation.

Message #

Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved. Aborting the operation

Event ID 138: The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Error
Task: Responsehandling

Description

The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT).

Message #

The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 138,
    "version": 0,
    "level": 2,
    "task": 10,
    "opcode": 0,
    "keywords": 4611686018427387906,
    "time_created": "2026-03-13T16:58:52.389986+00:00",
    "event_record_id": 1804,
    "correlation": {
      "ActivityID": "028C3802-AD9E-0009-DEA5-8C029EADDC01"
    },
    "execution": {
      "process_id": 1528,
      "thread_id": 10360
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 139: The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Responsehandling

Description

The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE).

Message #

The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)

Event ID 140: Sending HTTP error back to the client due to a transport failure.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Sending HTTP error back to the client due to a transport failure.The HTTP status code is {httpStatus}The error code is {errorCode}.

Message #

Sending HTTP error back to the client due to a transport failure.The HTTP status code is {httpStatus}The error code is {errorCode}

Fields #

Name	Description
`httpStatus`
`errorCode`

Event ID 141: Sending timeout response for operation: {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Sending timeout response for operation: {operationName}.

Message #

Sending timeout response for operation: {operationName}

Fields #

Name	Description
`operationName`

Event ID 142: WSMan operation operationName failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Error
Task: Responsehandling
Opcode: Stop

Description

WSMan operation operationName failed, error code errorCode.

Message #

WSMan operation %1 failed, error code %2

Fields #

Name	Description
`operationName` UnicodeString
`errorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 142,
    "version": 0,
    "level": 2,
    "task": 10,
    "opcode": 2,
    "keywords": 4611686018427387906,
    "time_created": "2023-11-06T00:47:48.782597+00:00",
    "event_record_id": 84,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0000-9DAB-E4E43710DA01"
    },
    "execution": {
      "process_id": 16164,
      "thread_id": 16312
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "operationName": "Enumeration",
    "errorCode": 2150858770
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 143: Received the response from Network layer; status: 200 (HTTP_STATUS_OK)

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Received the response from Network layer; status: 200 (HTTP_STATUS_OK).

Message #

Received the response from Network layer; status: 200 (HTTP_STATUS_OK)

Event ID 145: WSMan operation operationName started with resourceUri resourceUri.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: WSManAPIcall
Opcode: Start

Description

WSMan operation operationName started with resourceUri resourceUri.

Message #

WSMan operation %1 started with resourceUri %2

Fields #

Name	Description
`operationName` UnicodeString
`resourceUri` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 145,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2026-05-29T11:33:36.3112691+00:00",
    "event_record_id": 2388,
    "correlation": {
      "ActivityID": "{1C0E3E7D-EF0B-0006-A053-0E1C0BEFDC01}"
    },
    "execution": {
      "process_id": 1876,
      "thread_id": 1664
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
    }
  },
  "event_data": {
    "operationName": "Put",
    "resourceUri": "http://schemas.microsoft.com/wbem/wsman/1/config"
  },
  "message": "WSMan operation Put started with resourceUri http://schemas.microsoft.com/wbem/wsman/1/config"
}

Event ID 160: Authenticating the user using {authentication} mechanism.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Authenticating the user using {authentication} mechanism.

Message #

Authenticating the user using {authentication} mechanism

Fields #

Name	Description
`authentication`

Event ID 161: authFailureMessage.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Error
Task: Userauthentication

Description

authFailureMessage

Message #

%1

Fields #

Name	Description
`authFailureMessage` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 161,
    "version": 0,
    "level": 2,
    "task": 7,
    "opcode": 0,
    "keywords": 4611686018427387914,
    "time_created": "2023-11-06T00:47:48.782381+00:00",
    "event_record_id": 83,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0002-A38B-E4E43710DA01"
    },
    "execution": {
      "process_id": 16164,
      "thread_id": 16312
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "authFailureMessage": "The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: \"winrm quickconfig\"."
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 162: Authenticating the user failed.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Error
Task: Userauthentication

Description

Authenticating the user failed. The credentials didn't work.

Message #

Authenticating the user failed. The credentials didn't work.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 162,
    "version": 0,
    "level": 2,
    "task": 7,
    "opcode": 0,
    "keywords": 4611686018427387914,
    "time_created": "2026-03-13T17:03:29.975606+00:00",
    "event_record_id": 1873,
    "correlation": {
      "ActivityID": "028C3802-AD9E-0009-E2AC-8C029EADDC01"
    },
    "execution": {
      "process_id": 8184,
      "thread_id": 4952
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 163: The authentication mechanism (authClient) requested by the client is not supported by the server.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Userauthentication

Description

The authentication mechanism (authClient) requested by the client is not supported by the server.

Message #

The authentication mechanism (%1) requested by the client is not supported by the server.
Possible authentication mechanisms reported by server: %2 %3 %4 %5 %6

Fields #

Name	Description
`authClient` UnicodeString
`authServer1` UnicodeString
`authServer2` UnicodeString
`authServer3` UnicodeString
`authServer4` UnicodeString
`authServer5` UnicodeString

Event ID 164: The destination computer (destinationMachine) returned an 'access denied' error.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Userauthentication

Description

The destination computer (destinationMachine) returned an 'access denied' error. Verify your credentials are correct.

Message #

The destination computer (%1) returned an 'access denied' error. Verify your credentials are correct.

Fields #

Name	Description
`destinationMachine` UnicodeString

Event ID 165: The authentication mechanism requested by the proxy is not supported by the client.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Userauthentication

Description

The authentication mechanism requested by the proxy is not supported by the client. The only proxy authentication mechanism supported are Negotiate, Basic or Digest.

Message #

The authentication mechanism requested by the proxy is not supported by the client. The only proxy authentication mechanism supported are Negotiate, Basic or Digest. 
Possible authentication mechanisms reported by proxy: %1 %2 %3 %4 %5

Fields #

Name	Description
`authProxy1` UnicodeString
`authProxy2` UnicodeString
`authProxy3` UnicodeString
`authProxy4` UnicodeString
`authProxy5` UnicodeString

Event ID 166: The chosen authentication mechanism is {auth}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The chosen authentication mechanism is {auth}.

Message #

The chosen authentication mechanism is {auth}

Fields #

Name	Description
`auth`

Event ID 168: Sending HTTP 401 response to the client and disconnect the connection after sending the response

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Sending HTTP 401 response to the client and disconnect the connection after sending the response.

Message #

Sending HTTP 401 response to the client and disconnect the connection after sending the response

Event ID 169

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational

Fields #

Name	Description
`username`
`authenticationMechanism`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 169,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 0,
    "keywords": 4611686018427387916,
    "time_created": "2019-05-20T15:54:32.564901+00:00",
    "event_record_id": 861,
    "correlation": {
      "ActivityID": "8534C364-2CC0-0001-C84D-A5F46C0FD501"
    },
    "execution": {
      "process_id": 1204,
      "thread_id": 3068
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "IEWIN7",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "username": "iewin7\\ieuser",
    "authenticationMechanism": "NTLM"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 170: The authentication using client certificate with subject {subject} done successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The authentication using client certificate with subject {subject} done successfully.

Message #

The authentication using client certificate with subject {subject} done successfully

Fields #

Name	Description
`subject`

Event ID 171: Authenticating the user with the proxy failed.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Userauthentication

Description

Authenticating the user with the proxy failed. The credentials didn't work.

Message #

Authenticating the user with the proxy failed. The credentials didn't work.

Event ID 172: The server certificate on the destination computer (machineName:port) has the following errors: error1 error2 error3 error4 error5 error6 error7 error8.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Userauthentication

Description

The server certificate on the destination computer (machineName:port) has the following errors: error1 error2 error3 error4 error5 error6 error7 error8. Fix the server certificate and try again.

Message #

The server certificate on the destination computer (%1:%2) has the following errors: %3 %4 %5 %6 %7 %8 %9 %10. Fix the server certificate and try again.

Fields #

Name	Description
`machineName` UnicodeString
`port` UnicodeString
`error1` UnicodeString
`error2` UnicodeString
`error3` UnicodeString
`error4` UnicodeString
`error5` UnicodeString
`error6` UnicodeString
`error7` UnicodeString
`error8` UnicodeString

Event ID 173: The WinRM service has terminated param1 unauthenticated connections over the past param2 minutes to maintain healthy system state.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Userauthentication

Description

The WinRM service has terminated param1 unauthenticated connections over the past param2 minutes to maintain healthy system state. This will likely happen if the service is overloaded or if the service is under an authentication based attack. Action: Enable and observe Windows Remote Management Analytic log and look for warning events with Id 1843. These include additional information about the clients that got abruptly terminated.

Message #

The WinRM service has terminated %1 unauthenticated connections over the past %2 minutes to maintain healthy system state. This will likely happen if the service is overloaded or if the service is under an authentication based attack. 

 Action: 
Enable and observe Windows Remote Management Analytic log and look for warning events with Id 1843. These include additional information about the clients that got abruptly terminated.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 192: The authorization of the user failed with error errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: Userauthorization

Description

The authorization of the user failed with error errorCode.

Message #

The authorization of the user failed with error %1

Fields #

Name	Description
`errorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 192,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": 4611686018427387916,
    "time_created": "2026-03-13T17:30:10.610317+00:00",
    "event_record_id": 2649,
    "correlation": {
      "ActivityID": "DF92C490-B30B-0005-A2C8-92DF0BB3DC01"
    },
    "execution": {
      "process_id": 6952,
      "thread_id": 2464
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "errorCode": 5
  },
  "message": ""
}

Event ID 193: Request for user param1 (param2) will be executed using WinRM virtual account param3 (param4).

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: Userauthorization

Description

Request for user param1 (param2) will be executed using WinRM virtual account param3 (param4).

Message #

Request for user %1 (%2) will be executed using WinRM virtual account %3 (%4)

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 193,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": 4611686018427387916,
    "time_created": "2019-05-20T15:54:32.564901+00:00",
    "event_record_id": 863,
    "correlation": {
      "ActivityID": "8534C364-2CC0-0001-C84D-A5F46C0FD501"
    },
    "execution": {
      "process_id": 1204,
      "thread_id": 3068
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "IEWIN7",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 194: The authorization of the user failed with error {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The authorization of the user failed with error {errorCode}.

Message #

The authorization of the user failed with error {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 208: The Winrm service is starting

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: Winrmservicestart/stop
Opcode: Start

Description

The Winrm service is starting.

Message #

The Winrm service is starting

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 208,
    "version": 0,
    "level": 4,
    "task": 11,
    "opcode": 1,
    "keywords": 4611686018427387908,
    "time_created": "2026-05-29T16:33:03.9687823+00:00",
    "event_record_id": 2391,
    "correlation": {},
    "execution": {
      "process_id": 3584,
      "thread_id": 3776
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {},
  "message": "The Winrm service is starting"
}

Event ID 209: The Winrm service started successfully

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: Winrmservicestart/stop

Description

The Winrm service started successfully.

Message #

The Winrm service started successfully

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 209,
    "version": 0,
    "level": 4,
    "task": 11,
    "opcode": 0,
    "keywords": 4611686018427387908,
    "time_created": "2026-05-29T16:33:06.8327959+00:00",
    "event_record_id": 2392,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0004-CD20-82C688EFDC01}"
    },
    "execution": {
      "process_id": 3584,
      "thread_id": 3776
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {},
  "message": "The Winrm service started successfully"
}

Event ID 210: The WinRM service is unable to start because of a failure during initialization.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmservicestart/stop
Opcode: Stop

Description

The WinRM service is unable to start because of a failure during initialization. The error code is errorCode.

Message #

The WinRM service is unable to start because of a failure during initialization. The error code is %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 211: The Winrm service is stopping

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: Winrmservicestart/stop

Description

The Winrm service is stopping.

Message #

The Winrm service is stopping

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 211,
    "version": 0,
    "level": 4,
    "task": 11,
    "opcode": 0,
    "keywords": 4611686018427387908,
    "time_created": "2026-06-13T05:22:34.5173466+00:00",
    "event_record_id": 1741,
    "correlation": {
      "ActivityID": "{55D4FF8A-EF8A-0002-1E00-D5558AEFDC01}"
    },
    "execution": {
      "process_id": 3676,
      "thread_id": 924
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {},
  "message": "The Winrm service is stopping"
}

Event ID 212: The Winrm service was stopped successfully

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: Winrmservicestart/stop
Opcode: Stop

Description

The Winrm service was stopped successfully.

Message #

The Winrm service was stopped successfully

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 212,
    "version": 0,
    "level": 4,
    "task": 11,
    "opcode": 2,
    "keywords": 4611686018427387908,
    "time_created": "2026-06-13T05:22:34.5438732+00:00",
    "event_record_id": 1742,
    "correlation": {
      "ActivityID": "{55D4FF8A-EF8A-0002-1E00-D5558AEFDC01}"
    },
    "execution": {
      "process_id": 3676,
      "thread_id": 924
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {},
  "message": "The Winrm service was stopped successfully"
}

Event ID 213: The WSMan service could not load current configuration settings as the settings are corrupted.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmservicestart/stop

Description

The WSMan service could not load current configuration settings as the settings are corrupted. The service is started with default settings instead.

Message #

The WSMan service could not load current configuration settings as the settings are corrupted. The service is started with default settings instead. 

 User Action 
 Use the following command to restore defaults: 

 winrm invoke Restore winrm/config @{}

Event ID 214: The WSMan client could not load current configuration settings as the settings are corrupted.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmservicestart/stop

Description

The WSMan client could not load current configuration settings as the settings are corrupted. The client is operating with default settings instead.

Message #

The WSMan client could not load current configuration settings as the settings are corrupted. The client is operating with default settings instead. 

 User Action 
 Start the WinRM service and use the following command to restore defaults: 

 winrm invoke Restore winrm/config @{}

Event ID 215: The WSMan service failed to read configuration of the following plugin.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmservicestart/stop

Description

The WSMan service failed to read configuration of the following plugin.

Message #

The WSMan service failed to read configuration of the following plugin: 
 %1. 

The error received was %2: %%%2 
 %3.

 User Action 
 Make sure this plugin configuration is valid.

Fields #

Name	Description
`pluginName` UnicodeString
`errorcode` UnicodeString
`errordetail` UnicodeString

Event ID 216: The WSMan service failed to restart the plugins marked for AutoRestart.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmservicestart/stop

Description

The WSMan service failed to restart the plugins marked for AutoRestart. The error code received was errorcode.

Message #

The WSMan service failed to restart the plugins marked for AutoRestart. The error code received was %1.

Fields #

Name	Description
`errorcode` UnicodeString

Event ID 217: The WSMan service failed to restart the pluginName plugin on service startup.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmservicestart/stop

Description

The WSMan service failed to restart the pluginName plugin on service startup. The error code received was errorcode.

Message #

The WSMan service failed to restart the %1 plugin on service startup. The error code received was %2.

Fields #

Name	Description
`pluginName` UnicodeString
`errorcode` UInt32

Event ID 218: The WSMan service successfully restarted the following plugin on service startup: pluginName.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmservicestart/stop

Description

The WSMan service successfully restarted the following plugin on service startup: pluginName.

Message #

The WSMan service successfully restarted the following plugin on service startup: %1.

Fields #

Name	Description
`pluginName` UnicodeString

Event ID 219: The WSMan shell instance param1 will no longer support disconnect reconnect functionality because a non-supported request was sent by the client.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmservicestart/stop

Description

The WSMan shell instance param1 will no longer support disconnect reconnect functionality because a non-supported request was sent by the client.

Message #

The WSMan shell instance %1 will no longer support disconnect reconnect functionality because a non-supported request was sent by the client.

Fields #

Name	Description
`param1` UnicodeString

Event ID 224: message.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational
Task: Winrmconfiguration

Description

message

Message #

%1

Fields #

Name	Description
`message` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 224,
    "version": 0,
    "level": 4,
    "task": 12,
    "opcode": 0,
    "keywords": 4611686018427387908,
    "time_created": "2026-03-13T17:01:46.087745+00:00",
    "event_record_id": 873,
    "correlation": {
      "ActivityID": "A84E255E-A05B-0007-9C29-4EA85BA0DC01"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 9060
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {
    "message": "Enable the WinRM firewall exception. "
  },
  "message": ""
}

Event ID 229: The WinRM param1 failed to register for group policy change notifications.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmconfiguration

Description

The WinRM param1 failed to register for group policy change notifications. The error code is param2.

Message #

The WinRM %1 failed to register for group policy change notifications. The error code is %2.

Fields #

Name	Description
`param1` UnicodeString
`param2` UInt32

Event ID 230: Deletion of registry key param1 resulted in access denied.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Task: Winrmconfiguration

Description

Deletion of registry key param1 resulted in access denied. If this registry entry is not marked specifically as read only, this seems like a potential issue.

Message #

Deletion of registry key %1 resulted in access denied. If this registry entry is not marked specifically as read only, this seems like a potential issue.

Fields #

Name	Description
`param1` UnicodeString

Event ID 254: Activity Transfer

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: Informational

Description

Activity Transfer.

Message #

Activity Transfer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 254,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387942,
    "time_created": "2023-11-06T00:47:48.782378+00:00",
    "event_record_id": 82,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0002-A38B-E4E43710DA01",
      "RelatedActivityID": "E4DB489E-1037-0000-9DAB-E4E43710DA01"
    },
    "execution": {
      "process_id": 16164,
      "thread_id": 16312
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 255: Activity Transfer

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Level: Informational

Description

Activity Transfer.

Message #

Activity Transfer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 255,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x2000000000000026",
    "time_created": "2026-06-02T05:32:28.985+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0007-045C-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 22924
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 257: Initializing WSMan API

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Initializing WSMan API.

Message #

Initializing WSMan API

Event ID 258: Initialization of WSMan API failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Initialization of WSMan API failed; error code {errorCode}.

Message #

Initialization of WSMan API failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 259: Deinitializing WSMan API

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Deinitializing WSMan API.

Message #

Deinitializing WSMan API

Event ID 260: Deinitialization of WSMan API failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Deinitialization of WSMan API failed; error code {errorCode}.

Message #

Deinitialization of WSMan API failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 261: Creating WSMan Session.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Creating WSMan Session. The connection string is: {connection}.

Message #

Creating WSMan Session. The connection string is: {connection}

Fields #

Name	Description
`connection`

Event ID 262: WSMan Create Session operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

WSMan Create Session operation failed; error code {errorCode}.

Message #

WSMan Create Session operation failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 263: Closing WSMan Session

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan Session.

Message #

Closing WSMan Session

Event ID 264: Closing WSMan Session failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan Session failed; error code {errorCode}.

Message #

Closing WSMan Session failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 265: Setting WSMan Session Option ({optionCode}) with value ({optionValue}) completed successfuly.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Setting WSMan Session Option ({optionCode}) with value ({optionValue}) completed successfuly.

Message #

Setting WSMan Session Option ({optionCode}) with value ({optionValue}) completed successfuly

Fields #

Name	Description
`optionCode`
`optionValue`

Event ID 266: Creating WSMan shell with the ResourceUri: {resourceUri}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Creating WSMan shell with the ResourceUri: {resourceUri}.

Message #

Creating WSMan shell with the ResourceUri: {resourceUri}

Fields #

Name	Description
`resourceUri`

Event ID 267: WSMan shell creation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

WSMan shell creation failed; error code {errorCode}.

Message #

WSMan shell creation failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 268: Running WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Running WSMan command.

Message #

Running WSMan command

Event ID 269: Running WSMan command failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Running WSMan command failed; error code {errorCode}.

Message #

Running WSMan command failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 270: Closing WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan command.

Message #

Closing WSMan command

Event ID 271: Closing WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan shell.

Message #

Closing WSMan shell

Event ID 272: Signaling WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Signaling WSMan shell.

Message #

Signaling WSMan shell

Event ID 273: Signaling WSMan shell; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Signaling WSMan shell; error code {errorCode}.

Message #

Signaling WSMan shell; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 274: Closing WSMan operation

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan operation.

Message #

Closing WSMan operation

Event ID 275: Sending input to the shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Sending input to the shell.

Message #

Sending input to the shell

Event ID 276: Sending input operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Sending input operation failed; error code {errorCode}.

Message #

Sending input operation failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 277: Calling into WSMan to receive output from the shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Calling into WSMan to receive output from the shell.

Message #

Calling into WSMan to receive output from the shell

Event ID 278: WSMan receive operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

WSMan receive operation failed; error code {errorCode}.

Message #

WSMan receive operation failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 279: Calling into WSMan to receive output from the command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Calling into WSMan to receive output from the command.

Message #

Calling into WSMan to receive output from the command

Event ID 280: Getting message for error code {inputErrorCode} completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Getting message for error code {inputErrorCode} completed successfully. The languageCode parameter was: {languageCode}.

Message #

Getting message for error code {inputErrorCode} completed successfully. The languageCode parameter was: {languageCode}

Fields #

Name	Description
`inputErrorCode`
`languageCode`

Event ID 281: Getting WSMan Session Option ({optionCode}).

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Getting WSMan Session Option ({optionCode}).

Message #

Getting WSMan Session Option ({optionCode})

Fields #

Name	Description
`optionCode`

Event ID 282: Access Denied error: the {apiCall} API caller does not match the creator of the application object.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Access Denied error: the {apiCall} API caller does not match the creator of the application object.

Message #

Access Denied error: the {apiCall} API caller does not match the creator of the application object

Fields #

Name	Description
`apiCall`

Event ID 283: Plug-in reporting context for operation operationName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: WSManAPIcall

Description

Plug-in reporting context for operation operationName.

Message #

Plug-in reporting context for operation %1

Fields #

Name	Description
`operationName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 283,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": "0x2000000000000004",
    "time_created": "2026-06-02T05:32:28.993+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E6F0EC88-0EBD-4322-8998-6DA0441305E6}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 22924
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "operationName": "Command"
  },
  "message": "Task.ApiCall"
}

Event ID 284: Plug-in reporting data object for operation operationName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall

Description

Plug-in reporting data object for operation operationName.

Message #

Plug-in reporting data object for operation %1

Fields #

Name	Description
`operationName` UnicodeString

Event ID 285: Plug-in reporting data object and EPR for operation operationName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall

Description

Plug-in reporting data object and EPR for operation operationName.

Message #

Plug-in reporting data object and EPR for operation %1

Fields #

Name	Description
`operationName` UnicodeString

Event ID 286: Plug-in reporting data object and bookmark for operation operationName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall

Description

Plug-in reporting data object and bookmark for operation operationName.

Message #

Plug-in reporting data object and bookmark for operation %1

Fields #

Name	Description
`operationName` UnicodeString

Event ID 287: Plug-in reporting data for operation Receive

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Level: Informational
Task: WSManAPIcall

Description

Plug-in reporting data for operation Receive.

Message #

Plug-in reporting data for operation Receive

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 287,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": "0x2000000000000004",
    "time_created": "2026-06-02T05:32:28.985+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0008-7B94-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 22924
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "Task.ApiCall"
}

Event ID 288: Plug-in reporting operation complete for operationName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: WSManAPIcall

Description

Plug-in reporting operation complete for operationName.

Message #

Plug-in reporting operation complete for %1

Fields #

Name	Description
`operationName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 288,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": "0x2000000000000004",
    "time_created": "2026-06-02T05:32:28.986+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0007-005C-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 22924
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "operationName": "Receive"
  },
  "message": "Task.ApiCall"
}

Event ID 289: Plug-in getting operational information for parameter parameters and operation operationName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: WSManAPIcall

Description

Plug-in getting operational information for parameter parameters and operation operationName.

Message #

Plug-in getting operational information for parameter %1 and operation %2

Fields #

Name	Description
`parameters` UInt32
`operationName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 289,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": "0x2000000000000004",
    "time_created": "2026-06-02T05:32:28.993+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E6F0EC88-0EBD-4322-8998-6DA0441305E6}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 22924
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "operationName": "Command",
    "parameters": 5
  },
  "message": "Task.ApiCall"
}

Event ID 290: Plug-in reporting the authorization for user username completed with error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall

Description

Plug-in reporting the authorization for user username completed with error code errorCode.

Message #

Plug-in reporting the authorization for user %1 completed with error code %2

Fields #

Name	Description
`username` UnicodeString
`errorCode` UInt32

Event ID 291: Plug-in reporting the authorization operation completed with error errorCode for operation operation and ResourceUri resourceUri.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall

Description

Plug-in reporting the authorization operation completed with error errorCode for operation operation and ResourceUri resourceUri.

Message #

Plug-in reporting the authorization operation completed with error %1 for operation %2 and ResourceUri %3

Fields #

Name	Description
`errorCode` UInt32
`operation` UnicodeString
`resourceUri` UnicodeString

Event ID 292: Updating the quota for the user username with error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall

Description

Updating the quota for the user username with error code errorCode.

Message #

Updating the quota for the user %1 with error code %2
 maxAllowedConcurrentShells=%3
 maxAllowedConcurrentOperations=%4
 timeslotSize=%5
 maxAllowedOperationsPerTimeslot=%6

Fields #

Name	Description
`username` UnicodeString
`errorCode` UInt32
`maxAllowedConcurrentShells` UInt32
`maxAllowedConcurrentOperations` UInt32
`timeslotSize` UInt32
`maxAllowedOperationsPerTimeslot` UInt32

Event ID 293: Initialization of WSMan API completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Initialization of WSMan API completed successfuly.

Message #

Initialization of WSMan API completed successfuly

Event ID 294: Deinitialization of WSMan API completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Deinitialization of WSMan API completed successfuly.

Message #

Deinitialization of WSMan API completed successfuly

Event ID 295: WSMan Create Session operation completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

WSMan Create Session operation completed successfuly.

Message #

WSMan Create Session operation completed successfuly

Event ID 296: Setting WSMan Session Option ({optionCode}) failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Setting WSMan Session Option ({optionCode}) failed; error code {errorCode}.

Message #

Setting WSMan Session Option ({optionCode}) failed; error code {errorCode}

Fields #

Name	Description
`optionCode`
`errorCode`

Event ID 297: Closing WSMan Session completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan Session completed successfuly.

Message #

Closing WSMan Session completed successfuly

Event ID 298: Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}.

Message #

Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}

Fields #

Name	Description
`inputErrorCode`
`errorCode`

Event ID 299: Signaling WSMan command failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Signaling WSMan command failed; error code {errorCode}.

Message #

Signaling WSMan command failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 300: Signaling WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Signaling WSMan command.

Message #

Signaling WSMan command

Event ID 301: Closing WSMan shell failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan shell failed; error code {errorCode}.

Message #

Closing WSMan shell failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 302: Closing WSMan command failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan command failed; error code {errorCode}.

Message #

Closing WSMan command failed; error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 303: Closing WSMan {operationName} operation completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan {operationName} operation completed successfully.

Message #

Closing WSMan {operationName} operation completed successfully

Fields #

Name	Description
`operationName`

Event ID 304: Closing WSMan {operationName} operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Closing WSMan {operationName} operation failed; error code {errorCode}.

Message #

Closing WSMan {operationName} operation failed; error code {errorCode}

Fields #

Name	Description
`operationName`
`errorCode`

Event ID 305: Sending input to the command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Sending input to the command.

Message #

Sending input to the command

Event ID 306: The WinRM service loaded the following plugin: provider (path).

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

The WinRM service loaded the following plugin: provider (path).

Message #

The WinRM service loaded the following plugin: %1 (%2)

Fields #

Name	Description
`provider` UnicodeString
`path` UnicodeString

Event ID 307: The WinRM service unloaded the following plugin: provider (path).

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

The WinRM service unloaded the following plugin: provider (path).

Message #

The WinRM service unloaded the following plugin: %1 (%2)

Fields #

Name	Description
`provider` UnicodeString
`path` UnicodeString

Event ID 308: The plugin called WSManPluginGetConfiguration with the parameter Flags and obtained a return value of Result.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall

Description

The plugin called WSManPluginGetConfiguration with the parameter Flags and obtained a return value of Result.

Message #

The plugin called WSManPluginGetConfiguration with the parameter %1 and obtained a return value of %2.

Fields #

Name	Description
`Flags` UInt32
`Result` UInt32

Event ID 309: The plugin called WSManPluginReportCompletion with the parameter Flags and obtained a return value of Result.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall

Description

The plugin called WSManPluginReportCompletion with the parameter Flags and obtained a return value of Result.

Message #

The plugin called WSManPluginReportCompletion with the parameter %1 and obtained a return value of %2.

Fields #

Name	Description
`Flags` UInt32
`Result` UInt32

Event ID 310: The plugin Plugin is being shut down because it was idle for longer than the configured HostIdleTimeoutSecs quota.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall

Description

The plugin Plugin is being shut down because it was idle for longer than the configured HostIdleTimeoutSecs quota.

Message #

The plugin %1 is being shut down because it was idle for longer than the configured HostIdleTimeoutSecs quota.

Fields #

Name	Description
`Plugin` UnicodeString

Event ID 311: Signaling WSMan command failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Signaling WSMan command failed, error code errorCode.

Message #

Signaling WSMan command failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 312: Signaling WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Signaling WSMan command.

Message #

Signaling WSMan command

Event ID 313: Sending input to the command

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Sending input to the command.

Message #

Sending input to the command

Event ID 314: Sending input to the shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Sending input to the shell.

Message #

Sending input to the shell

Event ID 315: Sending input operation failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Sending input operation failed, error code errorCode.

Message #

Sending input operation failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 316: Calling into WSMan to receive output from the shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Calling into WSMan to receive output from the shell.

Message #

Calling into WSMan to receive output from the shell

Event ID 317: WSMan receive operation failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

WSMan receive operation failed, error code errorCode.

Message #

WSMan receive operation failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 318: Calling into WSMan to receive output from the command

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Calling into WSMan to receive output from the command.

Message #

Calling into WSMan to receive output from the command

Event ID 319: Getting message for error code inputErrorCode completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Getting message for error code inputErrorCode completed successfully. The languageCode parameter was: languageCode.

Message #

Getting message for error code %1 completed successfully. The languageCode parameter was: %2

Fields #

Name	Description
`inputErrorCode` UInt32
`languageCode` UnicodeString

Event ID 320: Getting WSMan Session Option (optionCode) - optionName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Getting WSMan Session Option (optionCode) - optionName.

Message #

Getting WSMan Session Option (%1) - %2.

Fields #

Name	Description
`optionCode` UInt32
`optionName` UnicodeString

Event ID 321: Signaling WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Signaling WSMan shell.

Message #

Signaling WSMan shell

Event ID 322: Signaling WSMan shell, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Signaling WSMan shell, error code errorCode.

Message #

Signaling WSMan shell, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 323: Closing WSMan operation

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Closing WSMan operation.

Message #

Closing WSMan operation

Event ID 324: Closing WSMan operationName operation completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Closing WSMan operationName operation completed successfully.

Message #

Closing WSMan %1 operation completed successfully

Fields #

Name	Description
`operationName` UnicodeString

Event ID 325: Disconnecting shell with Id : argument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Disconnecting shell with Id : argument.

Message #

Disconnecting shell with Id : %1

Fields #

Name	Description
`argument` UnicodeString

Event ID 326: Disconnecting shell failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Disconnecting shell failed, error code errorCode.

Message #

Disconnecting shell failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 327: Reconnecting shell with Id : argument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Reconnecting shell with Id : argument.

Message #

Reconnecting shell  with Id : %1

Fields #

Name	Description
`argument` UnicodeString

Event ID 328: Reconnecting shell failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Reconnecting shell failed, error code errorCode.

Message #

Reconnecting shell failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 329: Connecting shell with Id : argument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Connecting shell with Id : argument.

Message #

Connecting shell  with Id : %1

Fields #

Name	Description
`argument` UnicodeString

Event ID 330: Connecting shell failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Connecting shell failed, error code errorCode.

Message #

Connecting shell failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 331: Reconnecting shell command with Id : argument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Reconnecting shell command with Id : argument.

Message #

Reconnecting shell command  with Id : %1

Fields #

Name	Description
`argument` UnicodeString

Event ID 332: Reconnecting shell command failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Reconnecting shell command failed, error code errorCode.

Message #

Reconnecting shell command failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 333: Connecting shell command with Id : argument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Start

Description

Connecting shell command with Id : argument.

Message #

Connecting shell command  with Id : %1

Fields #

Name	Description
`argument` UnicodeString

Event ID 334: Connecting shell command failed, error code errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WSManAPIcall
Opcode: Stop

Description

Connecting shell command failed, error code errorCode.

Message #

Connecting shell command failed, error code %1

Fields #

Name	Description
`errorCode` UInt32

Event ID 512: Auto-detecting proxy settings

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Auto_detectingproxysettings
Opcode: Start

Description

Auto-detecting proxy settings.

Message #

Auto-detecting proxy settings

Event ID 513: Proxy AutoDetect done.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Auto_detectingproxysettings
Opcode: Stop

Description

Proxy AutoDetect done.

Message #

Proxy AutoDetect done.
Proxy list: %1 
Bypass list: %2

Fields #

Name	Description
`proxyList` UnicodeString
`bypassList` UnicodeString

Event ID 514: Setting proxy info.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Auto_detectingproxysettings

Description

Setting proxy info.

Message #

Setting proxy info 
 Proxy list: %1 
 Bypass list: %2

Fields #

Name	Description
`proxyList` UnicodeString
`bypassList` UnicodeString

Event ID 768: Processing client request for operation {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Processing client request for operation {operationName}.

Message #

Processing client request for operation {operationName}

Fields #

Name	Description
`operationName`

Event ID 769: Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>.

Message #

Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>

Fields #

Name	Description
`operation`
`resourceURI`

Event ID 770: Leaving the plugin for operation {operation}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Leaving the plugin for operation {operation}.

Message #

Leaving the plugin for operation {operation}

Fields #

Name	Description
`operation`

Event ID 771: SOAP [client sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

SOAP [client sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Message #

SOAP [client sending index %1 of %2 total chunks (%3 bytes)] %4

Fields #

Name	Description
`index` UInt32
`totalChunks` UInt32
`bytes` UInt32
`SoapDocument` UnicodeString

Event ID 772: SOAP [listener receiving index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Requesthandling

Description

SOAP [listener receiving index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Message #

SOAP [listener receiving index %1 of %2 total chunks (%3 bytes)] %4

Fields #

Name	Description
`index` UInt32
`totalChunks` UInt32
`bytes` UInt32
`SoapDocument` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 772,
    "version": 0,
    "level": 4,
    "task": 9,
    "opcode": 0,
    "keywords": "0x2000000000000005",
    "time_created": "2026-06-02T05:32:28.992+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0009-EB78-7F8753F0DC01}"
    },
    "execution": {
      "process_id": 4672,
      "thread_id": 17880
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SoapDocument": "<s:Envelope xmlns:rsp=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:wsman=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:wsmv=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\"><s:Header><wsa:Action s:mustUnderstand=\"true\">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</wsa:Action><wsmv:DataLocale s:mustUnderstand=\"false\" xml:lang=\"en-US\" /><wsman:Locale s:mustUnderstand=\"false\" xml:lang=\"en-US\" /><wsman:MaxEnvelopeSize s:mustUnderstand=\"true\">512000</wsman:MaxEnvelopeSize><wsa:MessageID>uuid:FC55EFC6-1167-4F07-AE78-171E27FA4F28</wsa:MessageID><wsman:OperationTimeout>PT50S</wsman:OperationTimeout><wsa:ReplyTo><wsa:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsman:ResourceURI s:mustUnderstand=\"true\">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</wsman:ResourceURI><wsmv:SessionId s:mustUnderstand=\"false\">uuid:BA24F3F0-F769-42AA-B48B-1C82E340AD0D</wsmv:SessionId><wsa:To>http://10.2.10.11:5985/wsman</wsa:To><wsman:OptionSet s:mustUnderstand=\"true\"><wsman:Option Name=\"WINRS_SKIP_CMD_SHELL\">False</wsman:Option></wsman:OptionSet><wsman:SelectorSet><wsman:Selector Name=\"ShellId\">3F291011-56F8-4FA3-A480-3E3164B15333</wsman:Selector></wsman:SelectorSet></s:Header><s:Body><rsp:CommandLine CommandId=\"7F4BC879-EF34-415C-A317-A9D1E7110033\"><r",
    "bytes": 3000,
    "index": 1,
    "totalChunks": 4
  },
  "message": "Task.RequestHandling"
}

Event ID 773: The {senderName} user is allowed a maximum number of {concurrentShells} concurrent shells; which has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The {senderName} user is allowed a maximum number of {concurrentShells} concurrent shells; which has been exceeded.Close existing shells or raise the quota for this user.

Message #

The {senderName} user is allowed a maximum number of {concurrentShells} concurrent shells; which has been exceeded.Close existing shells or raise the quota for this user.

Fields #

Name	Description
`senderName`
`concurrentShells`

Event ID 774: The senderName user is allowed a maximum number of concurrentOperations concurrent operations, which has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The senderName user is allowed a maximum number of concurrentOperations concurrent operations, which has been exceeded.

Message #

The %1 user is allowed a maximum number of %2 concurrent operations, which has been exceeded.
Close existing operations for this user, or raise the quota for this user.

Fields #

Name	Description
`senderName` UnicodeString
`concurrentOperations` UInt32

Event ID 775: The user load quota of requests requests per windowTime seconds has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The user load quota of requests requests per windowTime seconds has been exceeded.

Message #

The user load quota of %1 requests per %2 seconds has been exceeded.
Send future requests at a slower rate or raise the quota for the %3 user.
The next request from this user will not be approved for at least %4 milliseconds.

Fields #

Name	Description
`requests` UInt32
`windowTime` UInt32
`senderName` UnicodeString
`delayHint` UInt32

Event ID 776: The system load quota of requests requests per windowTime seconds has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The system load quota of requests requests per windowTime seconds has been exceeded.

Message #

The system load quota of %1 requests per %2 seconds has been exceeded.
Send future requests at a slower rate or raise the system quota.
The next request from the user %3 will not be approved for at least %4 milliseconds.

Fields #

Name	Description
`requests` UInt32
`windowTime` UInt32
`senderName` UnicodeString
`delayHint` UInt32

Event ID 777: The maximum number of users ({users}) executing shell operations has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The maximum number of users ({users}) executing shell operations has been exceeded.Retry after sometime or raise the quota for concurrent shell users.

Message #

The maximum number of users ({users}) executing shell operations has been exceeded.Retry after sometime or raise the quota for concurrent shell users.

Fields #

Name	Description
`users`

Event ID 778: Sending the request for operation {operationName} to destination machine and port {url}:{port}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Sending the request for operation {operationName} to destination machine and port {url}:{port}.

Message #

Sending the request for operation {operationName} to destination machine and port {url}:{port}

Fields #

Name	Description
`operationName`
`url`
`port`

Event ID 779: SOAP [client sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

SOAP [client sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Message #

SOAP [client sending index %1 of %2 total chunks (%3 bytes)] %4

Fields #

Name	Description
`index` UInt32
`totalChunks` UInt32
`bytes` UInt32
`SoapDocument` AnsiString

Event ID 780: The WinRM param1 has encountered network connectivity issues.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The WinRM param1 has encountered network connectivity issues.

Message #

The WinRM %1 has encountered network connectivity issues.

Fields #

Name	Description
`param1` UnicodeString

Event ID 781: The WinRM Client is attempting to re-establish a network connection.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The WinRM Client is attempting to re-establish a network connection.

Message #

The WinRM Client is attempting to re-establish a network connection.

Event ID 782: The WinRM Service has detected a new network connection from the client.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The WinRM Service has detected a new network connection from the client.

Message #

The WinRM Service has detected a new network connection from the client.

Event ID 783: The WinRM param1 has successfully re-established a network connection.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The WinRM param1 has successfully re-established a network connection.

Message #

The WinRM %1 has successfully re-established a network connection.

Fields #

Name	Description
`param1` UnicodeString

Event ID 784: The WinRM param1 failed to re-establish a network connection and is reporting a failure.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The WinRM param1 failed to re-establish a network connection and is reporting a failure.

Message #

The WinRM %1 failed to re-establish a network connection and is reporting a failure.

Fields #

Name	Description
`param1` UnicodeString

Event ID 785: The WSMan host process was started for user userName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The WSMan host process was started for user userName.

Message #

The WSMan host process was started for user %1.

Fields #

Name	Description
`userName` UnicodeString

Event ID 786: The WSMan host process was terminated for user userName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The WSMan host process was terminated for user userName.

Message #

The WSMan host process was terminated for user %1.

Fields #

Name	Description
`userName` UnicodeString

Event ID 787: Sending the request for operation operationName to destination machine and port url:port.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling
Opcode: Start

Description

Sending the request for operation operationName to destination machine and port url:port.

Message #

Sending the request for operation %1 to destination machine and port %2:%3

Fields #

Name	Description
`operationName` UnicodeString
`url` UnicodeString
`port` UInt32

Event ID 788: Processing client request for operation operationName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Requesthandling

Description

Processing client request for operation operationName.

Message #

Processing client request for operation %1

Fields #

Name	Description
`operationName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 788,
    "version": 0,
    "level": 4,
    "task": 9,
    "opcode": 0,
    "keywords": "0x2000000000000004",
    "time_created": "2026-06-02T05:32:28.993+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E6F0EC88-0EBD-4322-8998-6DA0441305E6}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 22924
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "operationName": "Command"
  },
  "message": "Task.RequestHandling"
}

Event ID 789: Entering the plugin for operation operation with a ResourceURI of <resourceURI>.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Requesthandling

Description

Entering the plugin for operation operation with a ResourceURI of <resourceURI>.

Message #

Entering the plugin for operation %1 with a ResourceURI of <%2>

Fields #

Name	Description
`operation` UnicodeString
`resourceURI` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 789,
    "version": 0,
    "level": 4,
    "task": 9,
    "opcode": 0,
    "keywords": "0x2000000000000004",
    "time_created": "2026-06-02T05:32:28.993+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E6F0EC88-0EBD-4322-8998-6DA0441305E6}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 22924
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "operation": "Command",
    "resourceURI": "http://schemas.microsoft.com/powershell/Microsoft.PowerShell"
  },
  "message": "Task.RequestHandling"
}

Event ID 790: Leaving the plugin for operation operation.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Requesthandling
Opcode: Stop

Description

Leaving the plugin for operation operation.

Message #

Leaving the plugin for operation %1

Fields #

Name	Description
`operation` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 790,
    "version": 0,
    "level": 4,
    "task": 9,
    "opcode": 2,
    "keywords": "0x2000000000000004",
    "time_created": "2026-06-02T05:32:28.987+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0007-005C-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 22924
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "operation": "Command"
  },
  "message": "Task.RequestHandling"
}

Event ID 791: The WinRM service failed to enumerate DASH/SMASH specifications with MI error: errorCode.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Requesthandling

Description

The WinRM service failed to enumerate DASH/SMASH specifications with MI error: errorCode.

Message #

The WinRM service failed to enumerate DASH/SMASH specifications with MI error: %1.

Fields #

Name	Description
`errorCode` UInt32

Event ID 1024: Sending response for operation {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Sending response for operation {operationName}.

Message #

Sending response for operation {operationName}

Fields #

Name	Description
`operationName`

Event ID 1025: Sending response error packet for ActionURI: actionUri.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling

Description

Sending response error packet for ActionURI: actionUri.

Message #

Sending response error packet for ActionURI: %1

Fields #

Name	Description
`actionUri` UnicodeString

Event ID 1026: SOAP [client receiving index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling

Description

SOAP [client receiving index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Message #

SOAP [client receiving index %1 of %2 total chunks (%3 bytes)] %4

Fields #

Name	Description
`index` UInt32
`totalChunks` UInt32
`bytes` UInt32
`SoapDocument` UnicodeString

Event ID 1027: SOAP [listener sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling

Description

SOAP [listener sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Message #

SOAP [listener sending index %1 of %2 total chunks (%3 bytes)] %4

Fields #

Name	Description
`index` UInt32
`totalChunks` UInt32
`bytes` UInt32
`SoapDocument` UnicodeString

Event ID 1028: Received the response from Network layer; status: {status}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Received the response from Network layer; status: {status}.

Message #

Received the response from Network layer; status: {status}

Fields #

Name	Description
`status`	NTSTATUS reference

Event ID 1029: Received the response from Network layer; status: {status}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Received the response from Network layer; status: {status}.

Message #

Received the response from Network layer; status: {status}

Fields #

Name	Description
`status`	NTSTATUS reference

Event ID 1030: Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: {location}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: {location}.

Message #

Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: {location}

Fields #

Name	Description
`location`

Event ID 1031: WSMan operation {operationName} completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

WSMan operation {operationName} completed successfully.

Message #

WSMan operation {operationName} completed successfully

Fields #

Name	Description
`operationName`

Event ID 1032: Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT; using next proxy

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT; using next proxy.

Message #

Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT; using next proxy

Event ID 1033: Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED; using next proxy

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED; using next proxy.

Message #

Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED; using next proxy

Event ID 1034: Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved. Aborting the operation.

Message #

Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved. Aborting the operation

Event ID 1035: The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT).

Message #

The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)

Event ID 1036: The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE).

Message #

The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)

Event ID 1037: The WSMan service could not launch a host process to process the given request.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. Error code {errorCode}.

Message #

The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. Error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 1038: The WSMan host process was unexpectedly terminated.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The WSMan host process was unexpectedly terminated. Error code {errorCode}.

Message #

The WSMan host process was unexpectedly terminated. Error code {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 1039: Sending HTTP error back to the client due to a transport failure.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Sending HTTP error back to the client due to a transport failure.The HTTP status code is {httpStatus}The error code is {errorCode}.

Message #

Sending HTTP error back to the client due to a transport failure.The HTTP status code is {httpStatus}The error code is {errorCode}

Fields #

Name	Description
`httpStatus`
`errorCode`

Event ID 1040: Sending timeout response for operation: {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Sending timeout response for operation: {operationName}.

Message #

Sending timeout response for operation: {operationName}

Fields #

Name	Description
`operationName`

Event ID 1041: Enumeration is shutting down

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling

Description

Enumeration is shutting down.

Message #

Enumeration is shutting down

Event ID 1042: WSMan operation {operationName} failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

WSMan operation {operationName} failed; error code {errorCode}.

Message #

WSMan operation {operationName} failed; error code {errorCode}

Fields #

Name	Description
`operationName`
`errorCode`

Event ID 1043: Subscription is shutting down

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling

Description

Subscription is shutting down.

Message #

Subscription is shutting down

Event ID 1044: SOAP [listener sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Responsehandling

Description

SOAP [listener sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.

Message #

SOAP [listener sending index %1 of %2 total chunks (%3 bytes)] %4

Fields #

Name	Description
`index` UInt32
`totalChunks` UInt32
`bytes` UInt32
`SoapDocument` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 1044,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": "0x2000000000000005",
    "time_created": "2026-06-02T05:32:28.986+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0007-005C-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 22924
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SoapDocument": "<s:Envelope xml:lang=\"en-US\" xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:rsp=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\"><s:Header><a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action><a:MessageID>uuid:90F5637C-A167-41AE-A9AE-EC20D8695A8C</a:MessageID><p:ActivityId>877F78A1-F053-0007-045C-818753F0DC01</p:ActivityId><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:014D5D3F-4C88-4A51-B929-54F7F851F0AE</a:RelatesTo></s:Header><s:Body><rsp:ReceiveResponse><rsp:Stream Name=\"stdout\" CommandId=\"702889DC-AC6A-4895-9307-B34DF9C1B107\">AAAAAAAAA4AAAAAAAAAAAAMAAABAAQAAAAQQBAARECk/+FajT6SAPjFksVMz3IkocGqslUiTB7NN+cGxB++7vzxTPlBJRD0xNjQ5MiBTWj0wPC9TPg==</rsp:Stream><rsp:Stream Name=\"stdout\" CommandId=\"702889DC-AC6A-4895-9307-B34DF9C1B107\">AAAAAAAAA4EAAAAAAAAAAAMAAABnAQAAAAYQBAARECk/+FajT6SAPjFksVMz3IkocGqslUiTB7NN+cGxB++7vzxPYmogUmVmSWQ9IjAiPjxNUz48STMyIE49IlBpcGVsaW5lU3RhdGUiPjQ8L0kzMj48L01TPjwvT2JqPg==</rsp:Stream><rsp:CommandState CommandId=\"702889DC-AC6A-4895-9307-B34DF9C1B107\" State=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done\"><rsp:ExitCode>0</rsp:ExitCode></rsp:CommandState></rsp:ReceiveResponse></s:Body></s:Envelope>",
    "bytes": 1446,
    "index": 1,
    "totalChunks": 1
  },
  "message": "Task.ResponseHandling"
}

Event ID 1045: Received the response from Network layer; status: 200 (HTTP_STATUS_OK)

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling
Opcode: Start

Description

Received the response from Network layer; status: 200 (HTTP_STATUS_OK).

Message #

Received the response from Network layer; status: 200 (HTTP_STATUS_OK)

Event ID 1046: An extended semantics callback timed out for the operationName operation.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling

Description

An extended semantics callback timed out for the operationName operation.

Message #

An extended semantics callback timed out for the %1 operation.

Fields #

Name	Description
`operationName` UnicodeString

Event ID 1047: Received the response from Network layer; status: status.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling
Opcode: Start

Description

Received the response from Network layer; status: status.

Message #

Received the response from Network layer; status: %1

Fields #

Name	Description
`status` UnicodeString	NTSTATUS reference

Event ID 1048: Sending HTTP error back to the client due to a transport failure.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling

Description

Sending HTTP error back to the client due to a transport failure.

Message #

Sending HTTP error back to the client due to a transport failure.
The HTTP status code is %1
The error code is %2

Fields #

Name	Description
`httpStatus` UInt16
`errorCode` UInt32
`extraErrorInfo1` UnicodeString
`extraErrorInfo2` UnicodeString

Event ID 1049: Sending timeout response for operation: operationName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling

Description

Sending timeout response for operation: operationName.

Message #

Sending timeout response for operation: %1

Fields #

Name	Description
`operationName` UnicodeString

Event ID 1050: Sending response for operation operationName.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Responsehandling

Description

Sending response for operation operationName.

Message #

Sending response for operation %1

Fields #

Name	Description
`operationName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 1050,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": "0x2000000000000004",
    "time_created": "2026-06-02T05:32:28.987+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0009-EB78-7F8753F0DC01}"
    },
    "execution": {
      "process_id": 4672,
      "thread_id": 17880
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "operationName": "Receive"
  },
  "message": "Task.ResponseHandling"
}

Event ID 1051: Received the response from Network layer; status: status.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling

Description

Received the response from Network layer; status: status.

Message #

Received the response from Network layer; status: %1

Fields #

Name	Description
`status` UInt32	NTSTATUS reference

Event ID 1052: WSMan operation operationName completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Responsehandling
Opcode: Stop

Description

WSMan operation operationName completed successfully.

Message #

WSMan operation %1 completed successfully

Fields #

Name	Description
`operationName` UnicodeString

Event ID 1053: WSMan operation operationName got suspended because of WSMan Shell disconnection.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WinrmOperation
Opcode: Stop

Description

WSMan operation operationName got suspended because of WSMan Shell disconnection.

Message #

WSMan operation %1 got suspended because of WSMan Shell disconnection.

Fields #

Name	Description
`operationName` UnicodeString

Event ID 1054: WSMan operation operationName resuming because of WSMan Shell reconnection.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WinrmOperation
Opcode: Stop

Description

WSMan operation operationName resuming because of WSMan Shell reconnection.

Message #

WSMan operation %1 resuming because of WSMan Shell reconnection.

Fields #

Name	Description
`operationName` UnicodeString

Event ID 1280: Sending HTTP 401 response to the client and disconnect the connection after sending the response

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Sending HTTP 401 response to the client and disconnect the connection after sending the response.

Message #

Sending HTTP 401 response to the client and disconnect the connection after sending the response

Event ID 1281: User {username} authenticated successfully using {authenticationMechanism} authentication.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

User {username} authenticated successfully using {authenticationMechanism} authentication.

Message #

User {username} authenticated successfully using {authenticationMechanism} authentication

Fields #

Name	Description
`username`
`authenticationMechanism`

Event ID 1282: The authentication using client certificate with subject {subject} done successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The authentication using client certificate with subject {subject} done successfully.

Message #

The authentication using client certificate with subject {subject} done successfully

Fields #

Name	Description
`subject`

Event ID 1283: Authenticating the user using {authentication} mechanism.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Authenticating the user using {authentication} mechanism.

Message #

Authenticating the user using {authentication} mechanism

Fields #

Name	Description
`authentication`

Event ID 1285: Authenticating the user failed.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

Authenticating the user failed. The credentials didn't work.

Message #

Authenticating the user failed. The credentials didn't work.

Event ID 1286: The authentication mechanism ({authClient}) requested by the client is not supported by the server.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message #

The authentication mechanism ({authClient}) requested by the client is not supported by the server.Possible authentication mechanisms reported by server: {authServer1} {authServer2} {authServer3} {authServer4} {authServer5}

Fields #

Name	Description
`authClient`
`authServer1`
`authServer2`
`authServer3`
`authServer4`
`authServer5`

Event ID 1287: The destination computer ({destinationMachine}) returned an 'access denied' error.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message #

The destination computer ({destinationMachine}) returned an 'access denied' error.Possible authentication mechanisms reported by server: {authServer1} {authServer2} {authServer3} {authServer4} {authServer5}.Verify your credentials are correct.

Fields #

Name	Description
`destinationMachine`
`authServer1`
`authServer2`
`authServer3`
`authServer4`
`authServer5`

Event ID 1288: The authentication mechanism requested by the proxy is not supported by the client.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message #

The authentication mechanism requested by the proxy is not supported by the client. The only proxy authentication mechanism supported are Negotiate; Basic or Digest. Possible authentication mechanisms reported by proxy: {authProxy1} {authProxy2} {authProxy3} {authProxy4} {authProxy5}

Fields #

Name	Description
`authProxy1`
`authProxy2`
`authProxy3`
`authProxy4`
`authProxy5`

Event ID 1289: The chosen authentication mechanism is {auth}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The chosen authentication mechanism is {auth}.

Message #

The chosen authentication mechanism is {auth}

Fields #

Name	Description
`auth`

Event ID 1291: Network layer AutoLogon policy was set to Low as a result of a HTTP 401 response from Network layer

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Userauthentication

Description

Network layer AutoLogon policy was set to Low as a result of a HTTP 401 response from Network layer.

Message #

Network layer AutoLogon policy was set to Low as a result of a HTTP 401 response from Network layer

Event ID 1292: Network layer AutoLogon policy was set to High

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Userauthentication

Description

Network layer AutoLogon policy was set to High.

Message #

Network layer AutoLogon policy was set to High

Event ID 1293: The chosen authentication mechanism is auth.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Userauthentication

Description

The chosen authentication mechanism is auth.

Message #

The chosen authentication mechanism is %1

Fields #

Name	Description
`auth` UnicodeString

Event ID 1294: Sending HTTP 401 response to the client and disconnect the connection after sending the response

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Userauthentication

Description

Sending HTTP 401 response to the client and disconnect the connection after sending the response.

Message #

Sending HTTP 401 response to the client and disconnect the connection after sending the response

Event ID 1295: User username authenticated successfully using authenticationMechanism authentication.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Userauthentication

Description

User username authenticated successfully using authenticationMechanism authentication.

Message #

User %1 authenticated successfully using %2 authentication

Fields #

Name	Description
`username` UnicodeString
`authenticationMechanism` UnicodeString

Event ID 1296: The authentication using client certificate with subject subject done successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Userauthentication

Description

The authentication using client certificate with subject subject done successfully.

Message #

The authentication using client certificate with subject %1 done successfully

Fields #

Name	Description
`subject` UnicodeString

Event ID 1297: Authenticating the user using authentication mechanism.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Userauthentication

Description

Authenticating the user using authentication mechanism.

Message #

Authenticating the user using %1 mechanism

Fields #

Name	Description
`authentication` UnicodeString

Event ID 1536: Authorizing the user

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Level: Informational
Task: Userauthorization

Description

Authorizing the user.

Message #

Authorizing the user

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 1536,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": "0x200000000000000C",
    "time_created": "2026-06-02T05:32:28.992+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0009-EB78-7F8753F0DC01}"
    },
    "execution": {
      "process_id": 4672,
      "thread_id": 2972
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "Task.Authorization"
}

Event ID 1537: The authorization of the user was done successfully

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Userauthorization

Description

The authorization of the user was done successfully.

Message #

The authorization of the user was done successfully

Event ID 1538: The authorization of the user failed with error {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The authorization of the user failed with error {errorCode}.

Message #

The authorization of the user failed with error {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 1792: The Winrm service is starting

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The Winrm service is starting.

Message #

The Winrm service is starting

Event ID 1793: The Winrm service started successfully

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The Winrm service started successfully.

Message #

The Winrm service started successfully

Event ID 1794: The WinRM service is unable to start because of a failure during initialization.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The WinRM service is unable to start because of a failure during initialization. The error code is {errorCode}.

Message #

The WinRM service is unable to start because of a failure during initialization. The error code is {errorCode}

Fields #

Name	Description
`errorCode`

Event ID 1795: The Winrm service is stopping

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The Winrm service is stopping.

Message #

The Winrm service is stopping

Event ID 1796: The Winrm service was stopped successfully

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

The Winrm service was stopped successfully.

Message #

The Winrm service was stopped successfully

Event ID 1797: The WSMan service could not load current configuration settings as the settings are corrupted.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message #

The WSMan service could not load current configuration settings as the settings are corrupted. The service is started with default settings instead.  User Action  Use the following command to restore defaults:  winrm invoke Restore winrm/config @{}

Event ID 1798: The WSMan client could not load current configuration settings as the settings are corrupted.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message #

The WSMan client could not load current configuration settings as the settings are corrupted. The client is operating with default settings instead.  User Action  Start the WinRM service and use the following command to restore defaults:  winrm invoke Restore winrm/config @{}

Event ID 1799: The WSMan service failed to read configuration of the following plugin: {pluginName}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message #

The WSMan service failed to read configuration of the following plugin:  {pluginName}. The error received was {errorcode}: %%{errorcode}  {errordetail}. User Action  Make sure this plugin configuration is valid.

Fields #

Name	Description
`pluginName`
`errorcode`
`errordetail`

Event ID 1808

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Description

{message}.

Message #

{message}

Fields #

Name	Description
`message`

Event ID 1840: An error was encountered while processing an operation.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WinrmOperation

Description

An error was encountered while processing an operation.

Message #

An error was encountered while processing an operation.
Error Code: %1
Error String:%2

Fields #

Name	Description
`errorCode` UInt32
`errorString` UnicodeString
`extraInformation1` UnicodeString
`extraInformation2` UnicodeString
`extraInformation3` UnicodeString
`extraInformation4` UnicodeString

Event ID 1841: An error was encountered while processing an operation.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WinrmOperation

Description

An error was encountered while processing an operation.

Message #

An error was encountered while processing an operation.
Error Code: %1

Fields #

Name	Description
`errorCode` UInt32
`extraInformation1` UnicodeString
`extraInformation2` UnicodeString
`extraInformation3` UnicodeString
`extraInformation4` UnicodeString

Event ID 1842: Extra information.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: WinrmOperation

Description

Extra information. Refer to the XML parameters for more details.

Message #

Extra information.  Refer to the XML parameters for more details.

Fields #

Name	Description
`level` UInt32
`extraInformation1` UnicodeString
`extraInformation2` UnicodeString
`extraInformation3` UnicodeString
`extraInformation4` UnicodeString

Event ID 1843: An unauthenticated connection from client clientIP is terminated.

Provider: Microsoft-Windows-WinRM
Channel: Analytic
Task: Userauthentication

Description

An unauthenticated connection from client clientIP is terminated.

Message #

An unauthenticated connection from client %1 is terminated.

Fields #

Name	Description
`clientIP` UnicodeString

Event ID 2048: [Filename:- param1; Line:- param2; Function:- param3;] param4.

Provider: Microsoft-Windows-WinRM
Channel: Debug
Task: WinrmVerboseMessage

Description

[Filename:- param1; Line:- param2; Function:- param3;] param4.

Message #

[Filename:- %1; Line:- %2; Function:- %3;] %4

Fields #

Name	Description
`param1` UnicodeString
`param2` UInt32
`param3` UnicodeString
`param4` UnicodeString

Event ID 2049: [Filename:- param1; Line:- param2; Function:- param3; ErrorCode:- param4] param5.

Provider: Microsoft-Windows-WinRM
Channel: Debug
Task: WinrmVerboseMessage

Description

[Filename:- param1; Line:- param2; Function:- param3; ErrorCode:- param4] param5.

Message #

[Filename:- %1; Line:- %2; Function:- %3; ErrorCode:- %4] %5

Fields #

Name	Description
`param1` UnicodeString
`param2` UInt32
`param3` UnicodeString
`param4` UInt32
`param5` UnicodeString

Event ID 10111: User authentication using Basic authentication scheme failed.

Provider: Microsoft-Windows-WinRM
Channel: System
Level: 3

Fields #

Name	Description
`param1`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "WinRM",
    "event_id": 10111,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-08 18:04:32.374695+00:00",
    "event_record_id": 2996,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "1326"
  },
  "message": "User authentication using Basic authentication scheme failed. \n\n Additional Data \n Unexpected error received from LogonUser 1326: %%1326."
}

Event ID 10148: The WinRM service is listening for WS-Management requests

Provider: Microsoft-Windows-WinRM
Channel: System
Level: Informational

Fields #

Name	Description
`Name`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 10148,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T16:33:04.4490391+00:00",
    "event_record_id": 6770,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "The WinRM service is listening for WS-Management requests. \r\n\r\n User Action \r\n Use the following command to see the specific IPs on which WinRM is listening: \r\n\r\n winrm enumerate winrm/config/listener"
}

Event ID 10149: The WinRM service is not listening for WS-Management requests

Provider: Microsoft-Windows-WinRM
Channel: System
Level: Warning

Fields #

Name	Description
`Name`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 10149,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:22:34.5179939+00:00",
    "event_record_id": 7362,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "The WinRM service is not listening for WS-Management requests. \r\n\r\n User Action \r\n If you did not intentionally stop the service, use the following command to see the WinRM configuration: \r\n\r\n winrm enumerate winrm/config/listener"
}

Event ID 10154: The WinRM service failed to create the following SPNs: spn1;

Provider: Microsoft-Windows-WinRM
Channel: System
Level: Warning

Fields #

Name	Description
`spn1`
`spn2`
`error`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
    "event_source_name": "",
    "event_id": 10154,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T16:33:06.2146723+00:00",
    "event_record_id": 6776,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "spn1": "WSMAN/telemetry-DC-a.cell-a.ludus.domain",
    "spn2": "WSMAN/telemetry-DC-a",
    "error": "10054"
  },
  "message": "The WinRM service failed to create the following SPNs: WSMAN/telemetry-DC-a.cell-a.ludus.domain; WSMAN/telemetry-DC-a. \r\n\r\n Additional Data \r\n The error received was 10054: %%10054.\r\n\r\n User Action \r\n The SPNs can be created by an administrator using setspn.exe utility."
}

Event ID 468853: The WinRM service is not listening for requests since it failed to listen on at least one address and port.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is not listening for requests since it failed to listen on at least one address and port.

Message #

The WinRM service is not listening for requests since it failed to listen on at least one address and port. 

 Remote management using WinRM will fail. 

 User Action 
 Configure listeners by enabling GPO policy for Auto Configuration of listeners or manually create a listener using WinRM command line tool.

Event ID 468854: The WinRM service is not listening for param1 requests because there was a failure binding to the URL (param2) in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is not listening for param1 requests because there was a failure binding to the URL (param2) in HTTP.SYS.

Message #

The WinRM service is not listening for %1 requests because there was a failure binding to the URL (%2) in HTTP.SYS. 

 Another process is registered to listen on the WinRM service URL prefix. 

 User Action 
 Correct this problem by stopping the other process, changing its URL prefix, or by changing the configuration for the WS-Management listening address.

Fields #

Name	Description
`param1` UnicodeString	The WinRM service is not listening for
`param2` UnicodeString	requests because there was a failure binding to the URL (

Event ID 468855: The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.SYS.

Message #

The WS-Management client is not listening for pushed events because there was a failure binding to the URL (%1) in HTTP.SYS. 

 Another process is registered to listen on the WinRM client URL prefix. 

 User Action 
 Correct this problem by stopping the other process, changing its URL prefix, or by changing the configuration for the WS-Management listening address.

Fields #

Name	Description
`param1` UnicodeString	The WS-Management client is not listening for pushed events because there was a failure binding to the URL (

Event ID 468856: The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL (param1) in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL (param1) in HTTP.SYS.

Message #

The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL (%1) in HTTP.SYS.  

 No remote requests will be serviced on that URL. 

 User Action 
 Please use "netsh http" to check if ACL for URL (%1) is set to Network Service. 

 Additional Data 
 The error code received from HTTP.sys is %2: %%%2

Fields #

Name	Description
`param1` UnicodeString	The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL (
`param2` UnicodeString	The error code received from HTTP.sys is

Event ID 468857: The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.SYS.

Message #

The WS-Management client is not listening for pushed events because there was a failure binding to the URL (%1) in HTTP.SYS. 

 User Action 
 Please use "netsh http" to check if ACL for URL (%1) is set to Network Service. 

 Additional Data 
 The error code received from HTTP.sys was %2: %%%2

Fields #

Name	Description
`param1` UnicodeString	The WS-Management client is not listening for pushed events because there was a failure binding to the URL (
`param2` UnicodeString	The error code received from HTTP.sys was

Event ID 468862: The WinRM service cannot validate the client certificate because the revocation status of the certificate or one of the certificates in the certifi...

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service cannot validate the client certificate because the revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.

Message #

The WinRM service cannot validate the client certificate because the revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale. 

 User Action 
 Please ensure that the Certificate Revocation List is accessible and up-to-date.

Event ID 468863: User authentication using Basic authentication scheme failed.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

User authentication using Basic authentication scheme failed.

Message #

User authentication using Basic authentication scheme failed. 

 Additional Data 
 Unexpected error received from LogonUser %1: %%%1.

Fields #

Name	Description
`param1` UnicodeString	Unexpected error received from LogonUser

Event ID 468864: The client certificate exceeded the maximum size allowed by the WinRM service.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The client certificate exceeded the maximum size allowed by the WinRM service.

Message #

The client certificate exceeded the maximum size allowed by the WinRM service.

 User Action 
 Please use a different client certificate or a different authentication mechanism.

Event ID 468865: Request processing failed because the WinRM service cannot load data or event source: DLL="param1" User Action Please check if "param1" exists.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Request processing failed because the WinRM service cannot load data or event source: DLL="param1".

Message #

Request processing failed because the WinRM service cannot load data or event source: DLL="%1" 

 User Action 
 Please check if "%1" exists. 

 Additional Data 
 Loading %1 failed with error="%2" (%%%2).

Fields #

Name	Description
`param1` UnicodeString	Request processing failed because the WinRM service cannot load data or event source: DLL="
`param2` UnicodeString	failed with error="

Event ID 468866: The SSL configuration for IP param1 and port param2 is shared with another service, such as Internet Information Services (IIS).

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The SSL configuration for IP param1 and port param2 is shared with another service, such as Internet Information Services (IIS).

Message #

The SSL configuration for IP %1 and port %2 is shared with another service, such as Internet Information Services (IIS).

Fields #

Name	Description
`param1` UnicodeString	The SSL configuration for IP
`param2` UnicodeString	and port

Event ID 468871: The WinRM service is unable to start because of a failure during initialization.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is unable to start because of a failure during initialization.

Message #

The WinRM service is unable to start because of a failure during initialization. 

 Additional Data 
 The error code is %1.

Fields #

Name	Description
`param1` UnicodeString	The error code is

Event ID 468872: The WinRM service has received an unsecure HTTP connection from param1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service has received an unsecure HTTP connection from param1.

Message #

The WinRM service has received an unsecure HTTP connection from %1. 

 This is not a secure configuration. 

 User Action 
 Set AllowUnencrypted to False in WinRM configuration to ensure packets are encrypted on the wire.

Fields #

Name	Description
`param1` UnicodeString	The WinRM service has received an unsecure HTTP connection from

Event ID 468873: The WinRM service has been configured to accept basic authentication for unsecure HTTP connections.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service has been configured to accept basic authentication for unsecure HTTP connections.

Message #

The WinRM service has been configured to accept basic authentication for unsecure HTTP connections. 

 This is not a secure configuration. 

 User Action 
 Set AllowUnencrypted to False in WinRM configuration to ensure packets are encrypted on the wire.

Event ID 468880: The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (param1) in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (param1) in HTTP.SYS.

Message #

The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (%1) in HTTP.SYS. 

 No remote requests will be serviced on that URL. 

 User Action 
 Please use "netsh http" to check if ACL for URL (%1) is set to Network Service. 

 Additional Data 
 The error code received from HTTP.sys is %2: %%%2

Fields #

Name	Description
`param1` UnicodeString	The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (
`param2` UnicodeString	The error code received from HTTP.sys is

Event ID 468881: The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.SYS.

Message #

The WS-Management client is not listening for pushed events because there was a failure binding to the URL (%1) in HTTP.SYS. 

 User Action 
 Please use "netsh http" to check if ACL for URL (%1) is set to Network Service. 

 Additional Data 
 The error code received from HTTP.sys was %2: %%%2

Fields #

Name	Description
`param1` UnicodeString	The WS-Management client is not listening for pushed events because there was a failure binding to the URL (
`param2` UnicodeString	The error code received from HTTP.sys was

Event ID 468882: IP Filter param1 specified in the GPO policy for Auto Configuration of listeners is invalid and it will be ignored.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

IP Filter param1 specified in the GPO policy for Auto Configuration of listeners is invalid and it will be ignored. Due to this issue, the WinRM service cannot use the autoconfigured listener.

Message #

IP Filter %1 specified in the GPO policy for Auto Configuration of listeners is invalid and it will be ignored. Due to this issue, the WinRM service cannot use the autoconfigured listener. 

 "*" is used to indicate that the service should listen on all available IPs on the machine. When "*" is used, other ranges cannot be specified in the filter. 

 User Action 
 Remove other IP ranges if "*" needs to be included in the IP Filter.

Fields #

Name	Description
`param1` UnicodeString	IP Filter

Event ID 468883: The IP Range param1 is invalid and it will be ignored.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The IP Range param1 is invalid and it will be ignored.

Message #

The IP Range %1 is invalid and it will be ignored.  

 Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," as delimiter. 
 Example IPv4 ranges:  2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 
Example IPv6 ranges:  3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 

 User Action 
 Correct the IP filter %1 using the syntax described above.

Fields #

Name	Description
`param1` UnicodeString	The IP Range

Event ID 468884: The WinRM service is not listening for policy changes because there was a failure registering for changes to the contents of the WS-Management poli...

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is not listening for policy changes because there was a failure registering for changes to the contents of the WS-Management policy key.

Message #

The WinRM service is not listening for policy changes because there was a failure registering for changes to the contents of the WS-Management policy key. 

 No group policy change will be serviced. 

 User Action 
 Stop and restart the WinRM service. 

 Additional Data 
 The error code was %1.

Fields #

Name	Description
`param1` UnicodeString	The error code was

Event ID 468888: The WinRM service encountered a catastrophic security failure.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service encountered a catastrophic security failure. The service can no longer run under its security context.

Message #

The WinRM service encountered a catastrophic security failure. The service can no longer run under its security context. 

 User Action 
 Stop and restart the WinRM service. 

 Additional Data 
 The error code is %1.

Fields #

Name	Description
`param1` UnicodeString	The error code is

Event ID 468889: The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the IP address does not exist on the destination computer.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the IP address does not exist on the destination computer. This listener was ignored during migration.

Message #

The WinRM service cannot migrate the listener with IP address %1 and Port %2 because the IP address does not exist on the destination computer. This listener was ignored during migration. 

 User Action 
 Create the listener again with the correct IP address.

Fields #

Name	Description
`param1` UnicodeString	The WinRM service cannot migrate the listener with IP address
`param2` UnicodeString	and Port

Event ID 468890: The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the IP address param3 does not exist on the destination computer.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the IP address param3 does not exist on the destination computer. This listener was ignored during migration.

Message #

The WinRM service cannot migrate the listener with Address %1 and Transport %2 because the IP address %3 does not exist on the destination computer. This listener was ignored during migration. 

 User Action 
 Create the listener again with the correct IP address.

Fields #

Name	Description
`param1` UnicodeString	The WinRM service cannot migrate the listener with Address
`param2` UnicodeString	and Transport
`param3` UnicodeString	because the IP address

Event ID 468891: The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the MAC address param3 does not exist on the destination computer.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the MAC address param3 does not exist on the destination computer. This listener was ignored during migration.

Message #

The WinRM service cannot migrate the listener with IP address %1 and Port %2 because the MAC address %3 does not exist on the destination computer. This listener was ignored during migration. 

 User Action 
 Create the listener again with the correct MAC address.

Fields #

Name	Description
`param1` UnicodeString	The WinRM service cannot migrate the listener with IP address
`param2` UnicodeString	and Port
`param3` UnicodeString	because the MAC address

Event ID 468892: The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the MAC address param3 does not exist on the destination machine.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the MAC address param3 does not exist on the destination machine. This listener was ignored during migration.

Message #

The WinRM service cannot migrate the listener with Address %1 and Transport %2 because the MAC address %3 does not exist on the destination machine. This listener was ignored during migration. 

 User Action 
 Create the listener again with the correct MAC address.

Fields #

Name	Description
`param1` UnicodeString	The WinRM service cannot migrate the listener with Address
`param2` UnicodeString	and Transport
`param3` UnicodeString	because the MAC address

Event ID 468893: The WinRM service cannot migrate the listener with IP address param1, Port param2 and Transport param3.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service cannot migrate the listener with IP address param1, Port param2 and Transport param3. A listener that has Address=param4 and Transport=param5 configuration already exists.

Message #

The WinRM service cannot migrate the listener with IP address %1, Port %2 and Transport %3. A listener that has Address=%4 and Transport=%5 configuration already exists.

Fields #

Name	Description
`param1` UnicodeString	The WinRM service cannot migrate the listener with IP address
`param2` UnicodeString	, Port
`param3` UnicodeString	and Transport
`param4` UnicodeString	. A listener that has Address=
`param5` UnicodeString	and Transport=

Event ID 468894: The WinRM service cannot migrate the listener with Address param1 and Transport param2.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service cannot migrate the listener with Address param1 and Transport param2. A listener that has the same Address and Transport configuration already exists.

Message #

The WinRM service cannot migrate the listener with Address %1 and Transport %2. A listener that has the same Address and Transport configuration already exists.

Fields #

Name	Description
`param1` UnicodeString	The WinRM service cannot migrate the listener with Address
`param2` UnicodeString	and Transport

Event ID 468895: The WinRM service had a failure during migration.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service had a failure during migration.

Message #

The WinRM service had a failure during migration. 

 User Action 
 Create the configuration again using the WinRM command line tool. 

 Additional Data 
 The error code is: %1 %%%1

Fields #

Name	Description
`param1` UnicodeString	The error code is
`param2` UnicodeString

Event ID 468896: The WinRM service had a failure reading the current configuration and is stopping.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service had a failure reading the current configuration and is stopping.

Message #

The WinRM service had a failure reading the current configuration and is stopping. 

 User Action 
 Use the following command to restore defaults: 

 winrm invoke Restore winrm/config @{} 

 Then add any custom configuration settings and restart the service. 

 Additional Data 
 The error code is: %1 %%%1

Fields #

Name	Description
`param1` UnicodeString	The error code is

Event ID 468897: The WinRM service had a failure applying the current configuration and is stopping.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service had a failure applying the current configuration and is stopping.

Message #

The WinRM service had a failure applying the current configuration and is stopping. 

 User Action 
 Check for previous event log messages and restart the service.

Fields #

Name	Description
`param1` UnicodeString

Event ID 468898: The WinRM service had a failure reading the current configuration and is stopping.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service had a failure reading the current configuration and is stopping.

Message #

The WinRM service had a failure reading the current configuration and is stopping. 

 User Action 
 Use the following command to restore defaults: 

 winrm invoke Restore winrm/config @{} 

 Then add any custom configuration settings and restart the service. 

 Additional Data 
 The error code is: %1 %%%1

Event ID 468899: The host name pattern "param1" is invalid and it will be ignored.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The host name pattern "param1" is invalid and it will be ignored. Host name patterns must not be empty and they can contain at most one wildcard ("*"). "*" pattern can be used to indicate all hosts; if this pattern is used, no other pattern can show up in the list. Special string "<local>" can be used to indicate all host names that do not have a '.' User Action Correct the host name pattern using the syntax described above.

Message #

The host name pattern "%1" is invalid and it will be ignored. Host name patterns must not be empty and they can contain at most one wildcard ("*"). "*" pattern can be used to indicate all hosts; if this pattern is used, no other pattern can show up in the list. Special string "<local>" can be used to indicate all host names that do not have a '.'

 User Action 
 Correct the host name pattern using the syntax described above.

Fields #

Name	Description
`param1` UnicodeString	The host name pattern "

Event ID 468900: The WinRM service is listening for WS-Management requests.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is listening for WS-Management requests.

Message #

The WinRM service is listening for WS-Management requests. 

 User Action 
 Use the following command to see the specific IPs on which WinRM is listening: 

 winrm enumerate winrm/config/listener

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "event_id": 10148,
    "level": "Information",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-04-23T08:40:35.3663303+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {}
}

Event ID 468901: The WinRM service is not listening for WS-Management requests.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is not listening for WS-Management requests.

Message #

The WinRM service is not listening for WS-Management requests. 

 User Action 
 If you did not intentionally stop the service, use the following command to see the WinRM configuration: 

 winrm enumerate winrm/config/listener

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "event_id": 10149,
    "level": "Warning",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-04-23T15:32:28.3753201+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {}
}

Event ID 468902: The WinRM service could not use the following listener to receive WS-Management requests.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service could not use the following listener to receive WS-Management requests. The listener is enabled but the listener does not have an IP address configured.

Message #

The WinRM service could not use the following listener to receive WS-Management requests.  The listener is enabled but the listener does not have an IP address configured. 

 User Action 
 Check the underlying network configuration to determine if this listener has at least one valid IP. If the IP is valid, ensure that WinRM configuration does not exclude that IP address by using the following command: 

 winrm get winrm/config/service 

 Additional Data 
 Listener transport: %1 
 Listener address: %2

Fields #

Name	Description
`transport` UnicodeString	Listener transport
`address` UnicodeString	Listener address

Event ID 468903: The WinRM service had a failure (param1) reading configuration during ip address change notification.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service had a failure (param1) reading configuration during ip address change notification.

Message #

The WinRM service had a failure (%1) reading configuration during ip address change notification. 

 Service will continue running with old configuration.

 User Action 
 If immediae changes are required manually restart the service

Fields #

Name	Description
`param1` UnicodeString	The WinRM service had a failure (

Event ID 468904: The WinRM service successfully processed an address change notification.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service successfully processed an address change notification.

Message #

The WinRM service successfully processed an address change notification.

Event ID 468905: The WSMan IIS module failed to read configuration.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WSMan IIS module failed to read configuration. The error received was : %.

Message #

The WSMan IIS module failed to read configuration. The error received was %1: %%%1 
 %2.

 User Action 
 Make sure both the schema and validation files are present and valid.

Fields #

Name	Description
`errorcode` UnicodeString	The WSMan IIS module failed to read configuration. The error received was
`errordetail` UnicodeString

Event ID 468906: The WinRM service failed to create the following SPNs: spn1; spn2.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service failed to create the following SPNs: spn1; spn2.

Message #

The WinRM service failed to create the following SPNs: %1; %2. 

 Additional Data 
 The error received was %3: %%%3.

 User Action 
 The SPNs can be created by an administrator using setspn.exe utility.

Fields #

Name	Description
`spn1` UnicodeString	The WinRM service failed to create the following SPNs
`spn2` UnicodeString
`error` UnicodeString	The error received was

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "event_id": 10154,
    "level": "Warning",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-04-23T08:40:47.4200212+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "spn2": "WSMAN/JD-DC01-2022",
    "error": "1355",
    "spn1": "WSMAN/JD-DC01-2022.ludus.domain"
  }
}

Event ID 468907: The WSMan service failed to read configuration of the following plugin.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WSMan service failed to read configuration of the following plugin.

Message #

The WSMan service failed to read configuration of the following plugin: 
 %1. 

The error received was %2: %%%2 
 %3.

 User Action 
 Make sure this plugin configuration is valid.

Fields #

Name	Description
`pluginName` UnicodeString
`errorcode` UnicodeString	The error received was
`errordetail` UnicodeString

Event ID 468908: The WinRM service failed to initialize CredSSP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service failed to initialize CredSSP.

Message #

The WinRM service failed to initialize CredSSP. 

 Additional Data 
 The error received was %1.

 User Action 
 Configure CertificateThumbprint setting under the WinRM configuration for the service. Use the thumbprint of a valid certificate and make sure that Network Service has access to the private key of the certificate.

Fields #

Name	Description
`error` UnicodeString	The error received was

Event ID 468909: The WinRM service received an error while trying to unloading a data or event source: DLL="param1" User Action Please check if there is an updated vers...

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service received an error while trying to unloading a data or event source: DLL="param1".

Message #

The WinRM service received an error while trying to unloading a data or event source: DLL="%1" 

 User Action 
 Please check if there is an updated version of this file available: "%1". 

 Additional Data 
 Shutting down %1 failed with error="%2" (%%%2).

Fields #

Name	Description
`param1` UnicodeString	The WinRM service received an error while trying to unloading a data or event source: DLL="
`param2` UnicodeString	failed with error="

Event ID 468910: The WinRM service is listening on the default param1 port param2 and on param1 (Compatibility) port param3 for WS-Management requests.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is listening on the default port and on (Compatibility) port for WS-Management requests. port is no longer the default port for the WinRM service.

Message #

The WinRM service is listening on the default %1 port %2 and on %1 (Compatibility) port %3 for WS-Management requests. %1 port %3 is no longer the default port for the WinRM service.

 If you want to disable the listener on the (Compatibility) port %3, run the following command:

 Winrm set winrm/config/service @{%4="False"}

Fields #

Name	Description
`param1` UnicodeString	The WinRM service is listening on the default
`param2` UnicodeString
`param3` UnicodeString	(Compatibility) port
`param4` UnicodeString	Winrm set winrm/config/service @{

Event ID 468911: The WinRM service has terminated param1 unauthenticated connections over the past param2 minutes to maintain healthy system state.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

Message #

The WinRM service has terminated %1 unauthenticated connections over the past %2 minutes to maintain healthy system state. This will likely happen if the service is overloaded or if the service is under an authentication based attack. 

 Action: 
Enable and observe Windows Remote Management Analytic log and look for warning events with Id 1843. These include additional information about the clients that got abruptly terminated.

Fields #

Name	Description
`param1` UnicodeString	The WinRM service has terminated
`param2` UnicodeString	unauthenticated connections over the past

Event ID 3221734403: The WinRM service is stopping because there was a failure registering for changes to the IP addresses.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is stopping because there was a failure registering for changes to the IP addresses.

Message #

The WinRM service is stopping because there was a failure registering for changes to the IP addresses. 

 User Action 
 Restart the WinRM service. 

 Additional Data 
 The error code was %1.

Fields #

Name	Description
`param1` UnicodeString

Event ID 3221734404: The WinRM service is stopping because there was a failure registering for changes to the configuration.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Description

The WinRM service is stopping because there was a failure registering for changes to the configuration.

Message #

The WinRM service is stopping because there was a failure registering for changes to the configuration. 

 User Action 
 Restart the WinRM service. 

 Additional Data 
 The error code was %1.

Fields #

Name	Description
`param1` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {A7975C8F-AC13-49F1-87DA-5A984A4AB417}

Defined in wsmres.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)