Microsoft-Windows-WMI-Activity
25 events across 3 channels
Event ID 1: GroupOperationId = GroupOperationId; OperationId = OperationId; Operation = Operation; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = NamespaceName.
#Description
GroupOperationId = GroupOperationId; OperationId = OperationId; Operation = Operation; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = NamespaceName.
Message #
Fields #
| Name | Description |
|---|---|
GroupOperationId UInt32 | |
OperationId UInt32 | |
Operation UnicodeString | Known values
|
ClientMachine UnicodeString | |
User UnicodeString | |
ClientProcessId UInt32 | |
NamespaceName UnicodeString |
Event ID 2: ProviderInfo for GroupOperationId = GroupOperationId; Operation = Operation; ProviderName = ProviderName; ProviderGuid = ProviderGuid; Path = Path.
#Description
ProviderInfo for GroupOperationId = GroupOperationId; Operation = Operation; ProviderName = ProviderName; ProviderGuid = ProviderGuid; Path = Path.
Message #
Fields #
| Name | Description |
|---|---|
GroupOperationId UInt32 | |
Operation UnicodeString | Known values
|
ProviderName UnicodeString | |
ProviderGuid UnicodeString | |
Path UnicodeString |
Event ID 3: Stop OperationId = OperationId.
#Event ID 11: CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; Operation = Operation; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; ...
#Description
CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; Operation = Operation; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = ClientProcessCreationTime.
Message #
Fields #
| Name | Description |
|---|---|
CorrelationId UnicodeString | |
GroupOperationId UInt32 | |
OperationId UInt32 | |
Operation UnicodeString | Known values
|
ClientMachine UnicodeString | |
ClientMachineFQDN UnicodeString | |
User UnicodeString | |
ClientProcessId UInt32 | |
ClientProcessCreationTime UInt64 | |
NamespaceName UnicodeString | |
IsLocal Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.5390626+00:00",
"event_record_id": 3702,
"correlation": {
"ActivityID": "a5a72efc-0725-4af3-8928-2c7be294af3b",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 14888
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_New": {
"CorrelationId": "{EB2F7CD8-77D6-447B-8B41-85BBC0F0CD29}",
"GroupOperationId": "33824",
"OperationId": "33915",
"Operation": "Start IWbemServices::DeleteInstance - Root\\Rsop\\Computer : RSOP_ExtensionStatus.extensionGuid=\"{FB2CA36D-0B40-4307-821B-A13B252DE56C}\"",
"ClientMachine": "DESKTOP-K7Q9MS2",
"ClientMachineFQDN": "DESKTOP-K7Q9MS2",
"User": "NT AUTHORITY\\SYSTEM",
"ClientProcessId": "5592",
"ClientProcessCreationTime": "134223150821160298",
"NamespaceName": "\\\\.\\Root\\Rsop\\Computer",
"IsLocal": "true"
}
},
"message": "CorrelationId = {EB2F7CD8-77D6-447B-8B41-85BBC0F0CD29}; GroupOperationId = 33824; OperationId = 33915; Operation = Start IWbemServices::DeleteInstance - Root\\Rsop\\Computer : RSOP_ExtensionStatus.extensionGuid=\"{FB2CA36D-0B40-4307-821B-A13B252DE56C}\"; ClientMachine = DESKTOP-K7Q9MS2; User = NT AUTHORITY\\SYSTEM; ClientProcessId = 5592; NamespaceName = 134223150821160298"
}
Event ID 12: ProviderInfo for GroupOperationId = GroupOperationId; Operation = Operation; HostID = HostId; ProviderName = ProviderName; ProviderGuid = ProviderGuid; Path = Path.
#Description
ProviderInfo for GroupOperationId = GroupOperationId; Operation = Operation; HostID = HostId; ProviderName = ProviderName; ProviderGuid = ProviderGuid; Path = Path.
Message #
Fields #
| Name | Description |
|---|---|
GroupOperationId UInt32 | |
Operation UnicodeString | Known values
|
HostId UInt32 | |
ProviderName UnicodeString | |
ProviderGuid UnicodeString | |
Path UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 12,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:08.7213624+00:00",
"event_record_id": 2932,
"correlation": {
"ActivityID": "c4d83776-df9b-4f73-8eb3-abf6fdb18958",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 15356
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_Provider_Info_New": {
"GroupOperationId": "33752",
"Operation": "Provider::ExecQuery - CIMWin32 : select __RELPATH, __RELPATH from Win32_Process",
"HostId": "14556",
"ProviderName": "CIMWin32",
"ProviderGuid": "{d63a5850-8f16-11cf-9f47-00aa00bf345c}",
"Path": "%systemroot%\\system32\\wbem\\cimwin32.dll"
}
},
"message": "ProviderInfo for GroupOperationId = 33752; Operation = Provider::ExecQuery - CIMWin32 : select __RELPATH, __RELPATH from Win32_Process; HostID = 14556; ProviderName = CIMWin32; ProviderGuid = {d63a5850-8f16-11cf-9f47-00aa00bf345c}; Path = %systemroot%\\system32\\wbem\\cimwin32.dll"
}
Event ID 13: Stop OperationId = OperationId; ResultCode = ResultCode.
#Description
Stop OperationId = OperationId; ResultCode = ResultCode.
Message #
Fields #
| Name | Description |
|---|---|
OperationId UInt32 | |
ResultCode HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 13,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.5397755+00:00",
"event_record_id": 3704,
"correlation": {
"ActivityID": "eda08d7d-6e98-43be-adba-1f74e64b4281",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 14888
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_Stop_New": {
"OperationId": "33915",
"ResultCode": "0x80041002"
}
},
"message": "Stop OperationId = 33915; ResultCode = 0x80041002"
}
Event ID 14: OperationId = OperationId; Operation = Operation; Channel = Channel; Message = Message.
#Description
OperationId = OperationId; Operation = Operation; Channel = Channel; Message = Message.
Message #
Fields #
| Name | Description |
|---|---|
OperationId UInt32 | |
Operation UnicodeString | Known values
|
Channel UInt32 | |
Message UnicodeString |
Event ID 15: OperationId = OperationId; Operation = Operation; ErrorID = ErrorId; ErrorCategory = ErrorCategory; Message = Message; TargetName = TargetName.
#Description
OperationId = OperationId; Operation = Operation; ErrorID = ErrorId; ErrorCategory = ErrorCategory; Message = Message; TargetName = TargetName.
Message #
Fields #
| Name | Description |
|---|---|
OperationId UInt32 | |
Operation UnicodeString | Known values
|
ErrorId UnicodeString | |
ErrorCategory UInt32 | |
Message UnicodeString | |
TargetName UnicodeString |
Event ID 16: OperationId = OperationId; Operation = Operation; ErrorID = ErrorId; Message = Message.
#Description
OperationId = OperationId; Operation = Operation; ErrorID = ErrorId; Message = Message.
Message #
Fields #
| Name | Description |
|---|---|
OperationId UInt32 | |
Operation UnicodeString | Known values
|
ErrorId HexInt32 | |
Message UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 16,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T20:59:47.4850086+00:00",
"event_record_id": 1271,
"correlation": {
"ActivityID": "64478093-d4f9-0001-b4d0-5164f9d4dc01",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3536,
"thread_id": 11712
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_Provider_Result": {
"OperationId": "32845",
"Operation": "Method Execution",
"ErrorId": "0x0",
"Message": ""
}
},
"message": "OperationId = 32845; Operation = Method Execution; ErrorID = 0x0; Message = "
}
Event ID 17: CorrelationId = CorrelationId; ProcessId = ProcessId; Protocol = Protocol; Operation = Operation; User = User; Namespace = Namespace.
#Description
CorrelationId = CorrelationId; ProcessId = ProcessId; Protocol = Protocol; Operation = Operation; User = User; Namespace = Namespace.
Message #
Fields #
| Name | Description |
|---|---|
CorrelationId UnicodeString | |
ProcessId UInt32 | |
Protocol UnicodeString | Known values
|
Operation UnicodeString | Known values
|
User UnicodeString | |
Namespace UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 17,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:08.7157677+00:00",
"event_record_id": 2926,
"correlation": {
"ActivityID": "64478093-d4f9-0007-03d4-5464f9d4dc01",
"RelatedActivityID": ""
},
"execution": {
"process_id": 12952,
"thread_id": 11016
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_Client": {
"CorrelationId": "{64478093-D4F9-0007-03D4-5464F9D4DC01}",
"ProcessId": "12952",
"Protocol": "DCOM",
"Operation": "MI_Session::EnumerateInstance",
"User": "NULL",
"Namespace": "root\\cimv2"
}
},
"message": "CorrelationId = {64478093-D4F9-0007-03D4-5464F9D4DC01}; ProcessId = 12952; Protocol = DCOM; Operation = MI_Session::EnumerateInstance; User = NULL; Namespace = root\\cimv2"
}
Event ID 18: WMI Events were dropped.
#Event ID 19: Performing delete operation on the WMI repository.
#Description
Performing delete operation on the WMI repository. OperationID = OperationID; Operation = Operation.
Message #
Fields #
| Name | Description |
|---|---|
OperationID UInt32 | |
Operation UnicodeString | Known values
|
ClientProcessId UInt32 | |
ClientMachineFQDN UnicodeString | |
ClientProcessCreationTime UInt64 | |
IsLocal Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 19,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.4784408+00:00",
"event_record_id": 3467,
"correlation": {
"ActivityID": "b1d8c3f2-a930-480b-bcb8-cb95471878d4",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 12224
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_RepDelete": {
"OperationID": "33824",
"Operation": "\\\\DESKTOP-K7Q9MS2\\ROOT\\Rsop\\Computer:RSOP_RegistryPolicySetting.id=\"{852A0000-5369-4B5D-A940-3515E805B186}\",precedence=1"
}
},
"message": "Performing delete operation on the WMI repository. OperationID = 33824; Operation = \\\\DESKTOP-K7Q9MS2\\ROOT\\Rsop\\Computer:RSOP_RegistryPolicySetting.id=\"{852A0000-5369-4B5D-A940-3515E805B186}\",precedence=1"
}
Event ID 20: Performing Update operation on the WMI repository.
#Description
Performing Update operation on the WMI repository. OperationID = OperationID; Operation = Operation; Flags = Flags.
Message #
Fields #
| Name | Description |
|---|---|
OperationID UInt32 | |
Operation UnicodeString | Known values
|
Flags UInt32 | |
ClientProcessId UInt32 | |
ClientMachineFQDN UnicodeString | |
ClientProcessCreationTime UInt64 | |
IsLocal Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 20,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.4902463+00:00",
"event_record_id": 3508,
"correlation": {
"ActivityID": "258aa0ca-4464-4d48-85ef-f9a43cd8ccbf",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 14888
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"Operation_RepUpdate": {
"OperationID": "33824",
"Operation": "RSOP_ExtensionStatus.extensionGuid=\"{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\"",
"Flags": "1"
}
},
"message": "Performing Update operation on the WMI repository. OperationID = 33824; Operation = RSOP_ExtensionStatus.extensionGuid=\"{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\"; Flags = 1"
}
Event ID 21: WMI Events were bound.
#Description
WMI Events were bound. ConsumerType = ConsumerType; Possiblecause = PossibleCause.
Message #
Fields #
| Name | Description |
|---|---|
ConsumerType UnicodeString | |
PossibleCause UnicodeString |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
data_stream.dataset | eq | windows.sysmon_operational | 1 rule | elastic |
Detection Rules #
View all rules referencing this event →Elastic # view in coverage
Event ID 22: CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; ClassName= ClassName; MethodName = MethodName; ImplementationClass = ImplementationClass; ClientMachin...
#Description
CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; ClassName= ClassName; MethodName = MethodName; ImplementationClass = ImplementationClass; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = NamespaceName.
Message #
Fields #
| Name | Description |
|---|---|
CorrelationId UnicodeString | |
GroupOperationId UInt32 | |
OperationId UInt32 | |
ClassName UnicodeString | |
MethodName UnicodeString | |
ImplementationClass UnicodeString | |
ClientMachine UnicodeString | |
ClientMachineFQDN UnicodeString | |
User UnicodeString | |
ClientProcessId UInt32 | |
ClientProcessCreationTime UInt64 | |
NamespaceName UnicodeString | |
IsLocal Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T20:57:44.1010074+00:00",
"event_record_id": 227,
"correlation": {
"ActivityID": "09b2d503-9f8b-44d1-b13f-a24eb51f7612",
"RelatedActivityID": ""
},
"execution": {
"process_id": 3776,
"thread_id": 15116
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"user_data": {
"MethodExec": {
"CorrelationId": "{8D9DCB76-6D12-4141-8AD2-CAE6C7B89797}",
"GroupOperationId": "32845",
"OperationId": "32842",
"ClassName": "MSFT_MpScan",
"MethodName": "Start",
"ImplementationClass": "MSFT_MpScan",
"ClientMachine": "DESKTOP-K7Q9MS2",
"ClientMachineFQDN": "DESKTOP-K7Q9MS2",
"User": "DESKTOP-K7Q9MS2\\localuser",
"ClientProcessId": "14256",
"ClientProcessCreationTime": "134223154630497608",
"NamespaceName": "\\\\.\\ROOT\\Microsoft\\Windows\\Defender",
"IsLocal": "true"
}
},
"message": "CorrelationId = {8D9DCB76-6D12-4141-8AD2-CAE6C7B89797}; GroupOperationId = 32845; OperationId = 32842; ClassName= MSFT_MpScan; MethodName = Start; ImplementationClass = MSFT_MpScan; ClientMachine = DESKTOP-K7Q9MS2; User = DESKTOP-K7Q9MS2\\localuser; ClientProcessId = 14256; NamespaceName = \\\\.\\ROOT\\Microsoft\\Windows\\Defender"
}
Event ID 23: CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; Commandline= Commandline; CreatedProcessId = CreatedProcessId; ClientMachine = CreatedProcessCreationT...
#Description
CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; Commandline= Commandline; CreatedProcessId = CreatedProcessId; ClientMachine = CreatedProcessCreationTime; User = ClientMachineFQDN; ClientProcessId = User.
Message #
Fields #
| Name | Description |
|---|---|
CorrelationId UnicodeString | |
GroupOperationId UInt32 | |
OperationId UInt32 | |
Commandline UnicodeString | |
CreatedProcessId UInt32 | |
CreatedProcessCreationTime UInt64 | |
ClientMachine UnicodeString | |
ClientMachineFQDN UnicodeString | |
User UnicodeString | |
ClientProcessId UInt32 | |
ClientProcessCreationTime UInt64 | |
IsLocal Boolean |
Event ID 24: GroupOperationId = GroupOperationId; Executing polling query Query in namespace NamespaceName.
#Event ID 50: Activity Transfer
#Description
Activity Transfer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "1418ef04-b0b4-4623-bf7e-d74ab47bbdaa",
"event_source_name": "",
"event_id": 50,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-03T21:02:22.5402448+00:00",
"event_record_id": 3705,
"correlation": {
"ActivityID": "bf89d6b0-0749-4787-9648-37993808a186",
"RelatedActivityID": "eb2f7cd8-77d6-447b-8b41-85bbc0f0cd29"
},
"execution": {
"process_id": 3776,
"thread_id": 14888
},
"channel": "Microsoft-Windows-WMI-Activity/Trace",
"computer": "DESKTOP-K7Q9MS2",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "Activity Transfer"
}
Event ID 100: ComponentName = ComponentName; MessageDetail = MessageDetail; FileName = FileName.
#Description
ComponentName = ComponentName; MessageDetail = MessageDetail; FileName = FileName.
Message #
Fields #
| Name | Description |
|---|---|
ComponentName UnicodeString | |
MessageDetail UnicodeString | |
FileName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
"event_source_name": "",
"event_id": 100,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": "0x2000000000000000",
"time_created": "2026-06-02T04:29:47.965+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{41135196-7D61-49AA-B971-A65A11898EBC}"
},
"execution": {
"process_id": 11952,
"thread_id": 15276
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ComponentName": "MI_Client",
"FileName": "onecore\\admin\\wmi\\wmiv2\\client\\api\\operation.c:940",
"MessageDetail": "Operation Instance Result (async): session=00000260EE5D9EE0, operation=00000260ED62C9A0, internal-operation=00000260EE4B8C20, resultCode=0, moreResults=TRUE"
},
"message": ""
}
Event ID 101: ComponentName = ComponentName; ErrorId = ErrorId; ErrorDetail = ErrorDetail; FileName = FileName.
#Event ID 5857: Operation_StartedOperational.ProviderName provider started with result code Operation_StartedOperational.Code.
#Description
Operation_StartedOperational.ProviderName provider started with result code Operation_StartedOperational.Code. HostProcess = Operation_StartedOperational.HostProcess; ProcessID = Operation_StartedOperational.ProcessID; ProviderPath = Operation_StartedOperational.ProviderPath.
Message #
Fields #
| Name | Description |
|---|---|
Operation_StartedOperational.ProviderName | Name of the WMI provider that started. |
Operation_StartedOperational.Code | Result code of the provider start operation. |
Operation_StartedOperational.HostProcess | WMI provider process name. |
Operation_StartedOperational.ProcessID | WMI provider process ID. |
Operation_StartedOperational.ProviderPath | Path of the WMI provider module being loaded. |
ProviderName | Name of the WMI provider that started. |
Code | Result code of the provider start operation. |
HostProcess | WMI provider process name. |
ProcessID | WMI provider process ID. |
ProviderPath | Path of the WMI provider module being loaded. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
"event_source_name": "",
"event_id": 5857,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-06-13T10:41:36.8111708+00:00",
"event_record_id": 1482,
"correlation": {},
"execution": {
"process_id": 5884,
"thread_id": 7412
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"Operation_StartedOperational": {
"ProviderName": "Win32_TpmProvider",
"Code": "0x0",
"HostProcess": "wmiprvse.exe",
"ProcessID": "5884",
"ProviderPath": "C:\\Windows\\System32\\wbem\\Win32_TPM.dll"
}
},
"message": "Win32_TpmProvider provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 5884; ProviderPath = C:\\Windows\\System32\\wbem\\Win32_TPM.dll"
}
References #
Event ID 5858: Id = Operation_ClientFailure.Id; ClientMachine = Operation_ClientFailure.ClientMachine; User = Operation_ClientFailure.User; ClientProcessId = Operation_ClientFailure.ClientProcessId; Component = O...
#Description
Id = ; ClientMachine = ; User = ; ClientProcessId = ; Component = ; Operation = ; ResultCode = ; PossibleCause =.
Message #
Fields #
| Name | Description |
|---|---|
Operation_ClientFailure.Id | Correlation identifier for the operation. |
Operation_ClientFailure.ClientMachine | Name of the machine that issued the WMI request. |
Operation_ClientFailure.User | Account that issued the WMI request. |
Operation_ClientFailure.ClientProcessId | Process ID of the WMI client. |
Operation_ClientFailure.Component | WMI subsystem component that failed. |
Operation_ClientFailure.Operation | WMI operation that failed. |
Operation_ClientFailure.ResultCode | Hexadecimal result code from the failed operation. |
Operation_ClientFailure.PossibleCause | Possible reason for the failure as reported by WMI. |
Id | Correlation identifier for the operation. |
ClientMachine | Name of the machine that issued the WMI request. |
User | Account that issued the WMI request. |
ClientProcessId | Process ID of the WMI client. |
Component | WMI subsystem component that failed. |
Operation | WMI operation that failed. |
ResultCode | Hexadecimal result code from the failed operation. |
PossibleCause | Possible reason for the failure as reported by WMI. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
"event_source_name": "",
"event_id": 5858,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-06-13T14:12:35.2925993+00:00",
"event_record_id": 1549,
"correlation": {},
"execution": {
"process_id": 3616,
"thread_id": 7696
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"Operation_ClientFailure": {
"Id": "{C6821FB2-EF88-0001-F50B-83C688EFDC01}",
"ClientMachine": "TELEMETRY-DC-A",
"User": "cell-a\\domainadmin",
"ClientProcessId": "3256",
"Component": "Unknown",
"Operation": "Start IWbemServices::ExecQuery - root\\cimv2 : Select * from Win32_PingStatus where ((Address='8.8.8.8') And TimeToLive=80 And BufferSize=32)",
"ResultCode": "0x80041032",
"PossibleCause": "Throttling Idle Tasks, refer to CIMOM regkey: ArbTaskMaxIdle"
}
},
"message": "Id = {C6821FB2-EF88-0001-F50B-83C688EFDC01}; ClientMachine = TELEMETRY-DC-A; User = cell-a\\domainadmin; ClientProcessId = 3256; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\\cimv2 : Select * from Win32_PingStatus where ((Address='8.8.8.8') And TimeToLive=80 And BufferSize=32); ResultCode = 0x80041032; PossibleCause = Throttling Idle Tasks, refer to CIMOM regkey: ArbTaskMaxIdle"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/wmi-activity-event-5858-logged-with-resultcode-0x80041032
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-WMI-Activity/events/event-5858.yml
Event ID 5859: Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Oper...
#Description
Namespace = ; NotificationQuery = ; OwnerName = ; HostProcessID = ; Provider= , queryID = ; PossibleCause =.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
Operation_EssStarted.NamespaceName | ||
Operation_EssStarted.Query | ||
Operation_EssStarted.User | ||
Operation_EssStarted.Processid | ||
Operation_EssStarted.Provider | ||
Operation_EssStarted.queryid | ||
Operation_EssStarted.PossibleCause | ||
NamespaceName | ||
Query | 1 detection rule | |
User | 1 detection rule | |
processid | ||
providerName | ||
queryid | ||
PossibleCause | 1 detection rule |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
"event_source_name": "",
"event_id": 5859,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T16:33:27.8339007+00:00",
"event_record_id": 1302,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0002-7522-82C688EFDC01}"
},
"execution": {
"process_id": 3616,
"thread_id": 5728
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"Operation_EssStarted": {
"NamespaceName": "//./root/CIMV2",
"Query": "select * from MSFT_SCMEventLogEvent",
"User": "S-1-5-32-544",
"Processid": "3616",
"Provider": "SCM Event Provider",
"queryid": "0",
"PossibleCause": "Permanent"
}
},
"message": "Namespace = //./root/CIMV2; NotificationQuery = select * from MSFT_SCMEventLogEvent; OwnerName = S-1-5-32-544; HostProcessID = 3616; Provider= SCM Event Provider, queryID = 0; PossibleCause = Permanent"
}
Detection Patterns #
Privilege Escalation: Windows Management Instrumentation Event Subscription
WMI-Activity Event ID 5859: Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Operation_EssStarted.Provider, queryID = Operation_EssStarted.queryid; PossibleCause = Operation_EssStarted.PossibleCause.OREvent ID 5861: Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.
1 rule
Sigma
Community Notes #
Can be used for remote execution.
References #
Event ID 5860: Namespace = Operation_TemporaryEssStarted.NamespaceName; NotificationQuery = Operation_TemporaryEssStarted.Query; UserName = Operation_TemporaryEssStarted.User; ClientProcessID = Operation_Temporar...
#Description
Namespace = ; NotificationQuery = ; UserName = ; ClientProcessID = , ClientMachine = ; PossibleCause =.
Message #
Fields #
| Name | Description |
|---|---|
Operation_TemporaryEssStarted.NamespaceName | WMI namespace for the event subscription. |
Operation_TemporaryEssStarted.Query | WQL query for the temporary event subscription. |
Operation_TemporaryEssStarted.User | Account that registered the subscription. |
Operation_TemporaryEssStarted.Processid | |
Operation_TemporaryEssStarted.ClientMachine | |
Operation_TemporaryEssStarted.PossibleCause | Subscription type indicator. |
NamespaceName | WMI namespace for the event subscription. |
Query | WQL query for the temporary event subscription. |
User | Account that registered the subscription. |
processid | Process ID of the registering client. |
MachineName | Name of the client machine. |
PossibleCause | Subscription type indicator. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
"event_source_name": "",
"event_id": 5860,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T16:33:27.9912212+00:00",
"event_record_id": 1305,
"correlation": {},
"execution": {
"process_id": 3616,
"thread_id": 5648
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"Operation_TemporaryEssStarted": {
"NamespaceName": "ROOT\\CIMV2",
"Query": "SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA 'Win32_Process'",
"User": "NT AUTHORITY\\SYSTEM",
"Processid": "3688",
"ClientMachine": "TELEMETRY-DC-A",
"PossibleCause": "Temporary"
}
},
"message": "Namespace = ROOT\\CIMV2; NotificationQuery = SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA 'Win32_Process'; UserName = NT AUTHORITY\\SYSTEM; ClientProcessID = 3688, ClientMachine = TELEMETRY-DC-A; PossibleCause = Temporary"
}
References #
Event ID 5861: Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; Poss...
#Description
Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.
Message #
Fields #
| Name | Description |
|---|---|
Operation_ESStoConsumerBinding.Namespace | WMI namespace containing the filter and consumer. |
Operation_ESStoConsumerBinding.ESS | Name of the event filter bound to the consumer. |
Operation_ESStoConsumerBinding.CONSUMER | Name and type of the event consumer bound to the filter. |
Operation_ESStoConsumerBinding.PossibleCause | Full text of the event filter and consumer binding, including the WQL query and consumer configuration. |
Namespace | WMI namespace containing the filter and consumer. |
ESS | Name of the event filter bound to the consumer. |
CONSUMER | Name and type of the event consumer bound to the filter. |
PossibleCause | Full text of the event filter and consumer binding, including the WQL query and consumer configuration. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WMI-Activity",
"guid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
"event_source_name": "",
"event_id": 5861,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T16:33:27.7987060+00:00",
"event_record_id": 1300,
"correlation": {},
"execution": {
"process_id": 3616,
"thread_id": 5728
},
"channel": "Microsoft-Windows-WMI-Activity/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"Operation_ESStoConsumerBinding": {
"Namespace": "//./root/subscription",
"ESS": "SCM Event Log Filter",
"CONSUMER": "NTEventLogEventConsumer=\"SCM Event Log Consumer\"",
"PossibleCause": "Binding EventFilter: \ninstance of __EventFilter\n{\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventNamespace = \"root\\\\cimv2\";\n\tName = \"SCM Event Log Filter\";\n\tQuery = \"select * from MSFT_SCMEventLogEvent\";\n\tQueryLanguage = \"WQL\";\n};\nPerm. Consumer: \ninstance of NTEventLogEventConsumer\n{\n\tCategory = 0;\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventType = 1;\n\tName = \"SCM Event Log Consumer\";\n\tNameOfUserSIDProperty = \"sid\";\n\tSourceName = \"Service Control Manager\";\n};\n"
}
},
"message": "Namespace = //./root/subscription; Eventfilter = SCM Event Log Filter (refer to its activate eventid:5859); Consumer = NTEventLogEventConsumer=\"SCM Event Log Consumer\"; PossibleCause = Binding EventFilter: \ninstance of __EventFilter\n{\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventNamespace = \"root\\\\cimv2\";\n\tName = \"SCM Event Log Filter\";\n\tQuery = \"select * from MSFT_SCMEventLogEvent\";\n\tQueryLanguage = \"WQL\";\n};\nPerm. Consumer: \ninstance of NTEventLogEventConsumer\n{\n\tCategory = 0;\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventType = 1;\n\tName = \"SCM Event Log Consumer\";\n\tNameOfUserSIDProperty = \"sid\";\n\tSourceName = \"Service Control Manager\";\n};\n"
}
Detection Patterns #
Privilege Escalation: Windows Management Instrumentation Event Subscription
WMI-Activity Event ID 5859: Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Operation_EssStarted.Provider, queryID = Operation_EssStarted.queryid; PossibleCause = Operation_EssStarted.PossibleCause.OREvent ID 5861: Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.
1 rule
Sigma
Community Notes #
These consumers survive reboots. WMI abuse is a classic technique for file-less persistence.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/persistence/evtx-5861-event-consumer-created.md
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-WMI-Activity/events/event-5861.yml
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}
Defined in WinMgmtR.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.2849, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02