PowerShellCore

Message #

Computer Name $null or . resolve to LocalHost

Message #

Resolving to default scheme http

Message #

Remote shell name resolved to default PowerShellCore

Message #

%3____Context:__%1____User Data:__%2__

Fields #

Message #

%3____Context:__%1____User Data:__%2__

Fields #

Message #

%3____Context:__%1____User Data:__%2__

Fields #

Message #

%3____Context:__%1____User Data:__%2__

Fields #

Message #

Creating Scriptblock text (%1 of %2):__%3____ScriptBlock ID: %4__Path: %5

Fields #

Example Event #

{
  "system": {
    "provider": "PowerShellCore",
    "guid": "{F90714A8-5509-434A-BF6D-B1624C8A19A2}",
    "event_source_name": "",
    "event_id": 4104,
    "version": 1,
    "level": 5,
    "task": 2,
    "opcode": 15,
    "keywords": 0,
    "time_created": "2026-05-30T04:29:54.7799039+00:00",
    "event_record_id": 30,
    "correlation": {
      "ActivityID": "{14429F51-EFE2-000D-01E6-4214E2EFDC01}"
    },
    "execution": {
      "process_id": 11980,
      "thread_id": 5976
    },
    "channel": "PowerShellCore/Operational",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "MessageNumber": "1",
    "MessageTotal": "1",
    "ScriptBlockText": "$global:?",
    "ScriptBlockId": "e76104e3-fb87-4091-ba9e-8ae27765de3e",
    "Path": ""
  },
  "message": "Creating Scriptblock text (1 of 1):\r\n$global:?\r\n\r\nScriptBlock ID: e76104e3-fb87-4091-ba9e-8ae27765de3e\r\nPath: "
}

Message #

Started invocation of ScriptBlock ID: %1__Runspace ID: %2

Fields #

Message #

Completed invocation of ScriptBlock ID: %1__Runspace ID: %2

Fields #

Message #

%3____Context:__%1____User Data:__%2__

Fields #

Message #

%3____Context:__%1____User Data:__%2__

Fields #

Message #

%3____Context:__%1____User Data:__%2__

Fields #

Message #

%3____Context:__%1____User Data:__%2__

Fields #

Message #

Correlating activity id's. __ _ CurrentActivityId: %1 __ _ ParentActivityId: %2

Fields #

Message #

Class Name = %1__Method Name = %2__Workflow GUID = %3__Message = %4__%5__Activity Name = %6__Activity GUID = %7__Parameters = %8

Fields #

Message #

Creating Runspace object __ _ Instance Id: %1

Fields #

Message #

Creating RunspacePool object __ _ InstanceId %1 __ _ MinRunspaces %2 __ _ MaxRunspaces %3

Fields #

Message #

Opening RunspacePool

Fields #

Message #

Modifying activity Id and correlating

Fields #

Message #

Runspace state changed to %1

Fields #

Message #

Attempting session creation retry %1 for error code %2 on session Id %3

Fields #

Message #

Port resolved to %1

Fields #

Message #

AppName resolved to %1

Fields #

Message #

ComputerName resolved to %1

Fields #

Message #

Scheme is %1

Fields #

Message #

Test analytic message

Message #

Connection Paramters are __ Connection URI: %1 __ Resource URI: %2 __ User: %3 __ OpenTimeout: %4 __ IdleTimeout: %5 __ CancelTimeout: %6 __ AuthenticationMechanism: %7 __ Thumb Print: %8 __ MaxUriRedirectionCount: %9 __ MaxReceivedDataSizePerCommand: %10 __ MaxReceivedObjectSize: %11

Fields #

Message #

Modifying activity Id and correlating

Fields #

Message #

AmsiUtil state. __ _ state: %1 __ _ Context: %2

Fields #

Message #

WDAC Query. __ _ Query: %1 __ _ File: %2 __ _ SuccessCode: %3 __ _ ResultCode: %4

Fields #

Message #

WDAC Audit. __ _ Title: %1 __ _ Message: %2 __ _ FullyQualifiedId: %3

Fields #

Message #

Windows PowerShell ISE has started to run script file %1.

Fields #

Message #

Windows PowerShell ISE has started to run a user-selected script from file %1.

Fields #

Message #

Windows PowerShell ISE is stopping the current command.

Message #

Windows PowerShell ISE is resuming the debugger.

Message #

Windows PowerShell ISE is stopping the debugger.

Message #

Windows PowerShell ISE is stepping into debugging.

Message #

Windows PowerShell ISE is stepping over debugging.

Message #

Windows PowerShell ISE is stepping out of debugging.

Message #

Windows PowerShell ISE is enabling all breakpoints.

Message #

Windows PowerShell ISE is disabling all breakpoints.

Message #

Windows PowerShell ISE is removing all breakpoints.

Message #

Windows PowerShell ISE is setting the breakpoint at line #: %1 of file %2.

Fields #

Message #

Windows PowerShell ISE is removing the breakpoint on line #: %1 of file %2.

Fields #

Message #

Windows PowerShell ISE is enabling the breakpoint on line #: %1 of file %2.

Fields #

Message #

Windows PowerShell ISE is disabling the breakpoint on line #: %1 of file %2.

Fields #

Message #

Windows PowerShell ISE has hit a breakpoint on line #: %1 of file %2.

Fields #

Message #

Successfully rehydrated an object. __ _ Deserialized type name: %1 __ _ Rehydrated by casting to type: %2 __ _ Rehydrated object is of type: %3

Fields #

Message #

Failed to rehydrated an object. __ _ Deserialized type name: %1 __ _ Rehydrated by casting to type: %2 __ _ Type cast exception: %3 __ _ Type cast inner exception: %4

Fields #

Message #

Serialization depth has been overriden. __ _ Serialized type name: %1 __ _ Original depth: %2 __ _ Overriden depth: %3 __ _ Current depth below top level: %4

Fields #

Message #

Serialization mode has been overriden. __ _ Serialized type name: %1 __ _ Overriden mode: %2

Fields #

Message #

Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the property. __ _ Property name: %1 __ _ Property owner's type name: %2 __ _ Getter script: %3

Fields #

Message #

Serialization of a property has been skipped, because property getter failed. __ _ Property name: %1 __ _ Property owner's type name: %2 __ _ Exception from property getter: %3 __ _ Inner exception from property getter: %4

Fields #

Message #

Serialization of an enumerable object might not be complete, because object being enumerated threw an exception. __ _ Type of object being enumerated: %1 __ _ Exception: %2

Fields #

Message #

Serialization called object's ToString method which failed. __ _ Type of object: %1 __ _ Exception: %2

Fields #

Message #

Maximum depth below top level has been reached, forcing object to be serialized as strings. __ _ Object type at max depth: %1 __ _ Property name at max depth: %2 __ _ Depth: %3

Fields #

Message #

XmlException has been thrown by the deserializer (most likely indicating incorrect clixml format). __ _ Line number: %1 Line position: %2 __ _ Exception: %3

Fields #

Message #

Serialization of specified properties failed, because one of the specified properties was missing. __ _ Type of object: %1 __ _ Property name: %2

Fields #

Message #

Received object with Runspace Id: %1 Command Id: %2 Destination: %3 DataType: %4 TargetInterface: %5

Fields #

Message #

An unhandled exception occurred in the appdomain. __Exception Type: %1 __Exception Message: %2 __Exception StackTrace: %3

Fields #

Message #

Runspace Id: %1 Pipeline Id: %2. WSMan reported an error with error code: %3. __ Error message: %4 __ StackTrace: %5

Fields #

Message #

An unhandled exception occurred in the appdomain. __Exception Type: %1 __Exception Message: %2 __Exception StackTrace: %3

Fields #

Message #

Runspace Id: %1 Pipeline Id: %2. WSMan reported an error with error code: %3. __ Error message: %4 __ StackTrace: %5

Fields #

Message #

Runspace Id %1. Establishing a connection using WSMan Create Shell

Fields #

Message #

Runspace Id %1. Callback received for WSMan Create Shell

Fields #

Message #

Runspace Id: %1. Closing shell using WSManCloseShell

Fields #

Message #

Runspace Id: %1. Callback received for WSManCloseShell

Fields #

Message #

Runspace Id: %1 Pipeline Id: %2. Sending data of size %3

Fields #

Message #

Runspace Id: %1 Pipeline Id: %2. Callback received for WSManSendShellInputEx

Fields #

Message #

Runspace Id: %1 Pipeline Id: %2. Placing Receive request using WSManReceiveShellOutputEx

Fields #

Message #

Runspace Id: %1 Pipeline Id: %2. Received Data of size %3.

Fields #

Message #

Runspace Id %1 Pipeline Id %2. Establishing a command connection using WSManRunShellCommandEx

Fields #

Message #

Runspace Id %1 Pipeline Id %2. Callback received for command connection

Fields #

Message #

Runspace Id: %1 Pipeline Id %2. Closing transport for command

Fields #

Message #

Runspace Id: %1 Pipeline Id %2. Callback received for command close

Fields #

Message #

Runspace Id: %1 Pipeline Id %2. Sending signal with code %3 using WSManSignalShellEx

Fields #

Message #

Runspace Id: %1 Pipeline Id %2. Callback received for WSManSignalShellEx

Fields #

Message #

Runspace Id: %1. Connection is getting redirected to Uri: %2

Fields #

Message #

Runspace Id: %1 Pipeline Id: %2. Server is sending data of size %3 to client. DataType: %4 TargetInterface: %5

Fields #

Message #

Request %1. Creating a server remote session. UserName: %2 Custom Shell Id: %3

Fields #

Message #

Reporting context for request: %1 Context Reported: %1

Fields #

Message #

Reporting operation complete for request: %1 __ Error Code: %2 __ Error Message: %3 __ StackTrace: %4

Fields #

Message #

Shell Context %1. Request Id %2. Creating a commonad session for running a command.

Fields #

Message #

Shell Context %1 Command Context %2 Request Id %3. Stopping command.

Fields #

Message #

Shell Context %1 Command Context %2 Request Id %3. Received data from client.

Fields #

Message #

Shell Context %1 Command Context %2 Request Id %3. Client sent a receive request so that server can send data.

Fields #

Message #

Shell Context %1 Command Context %2 IsReceiveOperation %3. Got close operation request.

Fields #

Message #

Loading assembly %1 for custom shell with shell Id %2

Fields #

Message #

Loading type %1 for custom shell with shell Id %2

Fields #

Message #

Received remoting fragment. __ _ Object Id: %1 __ _ Fragment Id: %2 __ _ Start Flag: %3 __ _ End Flag: %4 __ _ Payload Length: %5 __ _ Payload Data: %6

Fields #

Message #

Sent remoting fragment. __ _ Object Id: %1 __ _ Fragment Id: %2 __ _ Start Flag: %3 __ _ End Flag: %4 __ _ Payload Length: %5 __ _ Payload Data: %6

Fields #

Message #

Shutting down winrm service.

Message #

PowerShell console is starting up

Example Event #

{
  "system": {
    "provider": "PowerShellCore",
    "guid": "F90714A8-5509-434A-BF6D-B1624C8A19A2",
    "event_source_name": "",
    "event_id": 40961,
    "version": 1,
    "level": 4,
    "task": 4,
    "opcode": 1,
    "keywords": 0,
    "time_created": "2023-11-06T01:36:38.224978+00:00",
    "event_record_id": 13,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-E00D-EEE43710DA01"
    },
    "execution": {
      "process_id": 20676,
      "thread_id": 8100
    },
    "channel": "PowerShellCore/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

PowerShell console is ready for user input

Example Event #

{
  "system": {
    "provider": "PowerShellCore",
    "guid": "F90714A8-5509-434A-BF6D-B1624C8A19A2",
    "event_source_name": "",
    "event_id": 40962,
    "version": 1,
    "level": 4,
    "task": 4,
    "opcode": 2,
    "keywords": 0,
    "time_created": "2023-11-06T01:36:44.837777+00:00",
    "event_record_id": 15,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-E00D-EEE43710DA01"
    },
    "execution": {
      "process_id": 20676,
      "thread_id": 8100
    },
    "channel": "PowerShellCore/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

Tracing ErrorRecord: __ Message: %1 __ CategoryInfo.Category: %2 __ CategoryInfo.Reason : %3 __ CategoryInfo.TargetName : %4 __ FullyQualifiedErrorId: %5 __ Exception Details: __ Message : %6 __ Stack Trace: %7 __ InnerException %8 __

Fields #

Message #

Exception: __ Message: %1 __ StackTrace: %2 __ InnerException : %3 __

Fields #

Message #

Tracing PSObject

Message #

Tracing Job: __ Id: %1 __ InstanceId: %2 __ Name: %3 __ Location: %4 __ State: %5 __ Command: %6 __

Fields #

Message #

Trace Information: __ %1

Fields #

Message #

Connection Paramters are __ Connection URI: %1 __ Resource URI: %2 __ User: %3 __ OpenTimeout: %4 __ IdleTimeout: %5 __ CancelTimeout: %6 __ AuthenticationMechanism: %7 __ Thumb Print: %8 __ MaxUriRedirectionCount: %9 __ MaxReceivedDataSizePerCommand: %10 __ MaxReceivedObjectSize: %11

Fields #

Message #

Workflow plugin loaded. __ _ EndpointName: %1 __ _ User: %2 __ _ HostingMode: %3 __ _ Protocol: %4 __ _ Configuration: __ %5

Fields #

Message #

Workflow execution started. __ _ WorkflowId: %1 __ _ ManagedNodes: %2

Fields #

Message #

Workflow state changed. __ _ WorkflowId: %1 __ _ NewState: %2 __ _ OldState: %3

Fields #

Message #

Workflow plugin has been requested for a shutdown. __ _ EndpointName: %1

Fields #

Message #

Workflow plugin restarted. __ _ EndpointName: %1

Fields #

Message #

Workflow is resuming. __ _ WorkflowId: %1

Fields #

Message #

A quota limit that was set for the endpoint was exceeded. __ _ EndpointName: %1 __ _ ConfigName: %2 __ _ AllowedValue: %3 __ _ ValueInQuestion: %4

Fields #

Message #

Workflow has resumed. __ _ WorkflowId: %1

Fields #

Message #

Workflow runspace pool was created. __ _ WorkflowId: %1 __ _ ManagedNode: %2

Fields #

Message #

Activity was queued for execution. __ _ WorkflowId: %1 __ _ ActivityName: %2

Fields #

Message #

Activity execution started. __ _ ActivityName: %1 __ _ ActivityTypeName: %2

Fields #

Message #

Workflow is being imported from a XAML file. __ _ WorkflowId: %1 __ _ XamlFile: %2

Fields #

Message #

Workflow has been imported from a XAML file. __ _ WorkflowId: %1 __ _ XamlFile: %2

Fields #

Message #

Workflow could not be imported from a XAML file because of an error. __ _ WorkflowId: %1 __ _ ErrorDescription: %2

Fields #

Message #

Workflow validation started. __ _ WorkflowId: %1

Fields #

Message #

Workflow validation succeeded. __ _ WorkflowId: %1

Fields #

Message #

Workflow validation failed with error. __ _ WorkflowId: %1

Fields #

Message #

Workflow activity validated. __ _ WorkflowId: %1 __ _ ActivityDisplayName: %2 __ _ ActivityTypeName: %3

Fields #

Message #

Workflow activity could not be validated. __ _ WorkflowId: %1 __ _ ActivityDisplayName: %2 __ _ ActivityTypeName: %3

Fields #

Message #

Activity execution failed. __ _ WorkflowId: %1 __ _ ActivityName: %2 __ _ FailureDescription: %3

Fields #

Message #

Runspace availability changed. __ _ RunspaceId: %1 __ _ Availability: %2

Fields #

Message #

Runspace state changed. __ _ RunspaceId: %1 __ _ NewState: %2 __ _ OldState: %3

Fields #

Message #

Workflow loaded for execution. __ _ WorkflowId: %1

Fields #

Message #

Workflow unloaded. __ _ WorkflowId: %1

Fields #

Message #

Workflow execution cancelled. __ _ WorkflowId: %1

Fields #

Message #

Workflow execution aborted. __ _ WorkflowId: %1

Fields #

Message #

Workflow cleanup operation executed. __ _ WorkflowId: %1

Fields #

Message #

Persisted workflow loaded from disk. __ _ WorkflowId: %1 __ _ Path: %2

Fields #

Message #

Workflow data was deleted from disk. __ _ WorkflowId: %1 __ _ Path: %2

Fields #

Message #

Starting remove job. __ _ JobId: %1

Fields #

Message #

Job state changed. __ _ JobId: %1 __ _ WorkflowId: %2 __ _ NewState: %3 __ _ OldState: %4

Fields #

Message #

Job error. __ _ JobId: %1 __ _ WorkflowId: %2 __ _ ErrorDescription: %3

Fields #

Message #

Job created for workflow (child job). __ _ ParentJobId: %1 __ _ ChildJobId: %2 __ _ ChildWorkflowId: %3

Fields #

Message #

Parent job created for workflow. __ _ JobId: %1

Fields #

Message #

All required jobs were created for workflow execution. __ _ JobId: %1 __ _ WorkflowId: %2

Fields #

Message #

Child job removed for workflow. __ _ ParentJobId: %1 __ _ ChildJobId: %2 __ _ WorkflowId: %3

Fields #

Message #

An error occurred while removing job. __ _ ParentJobId: %1 __ _ ChildJobId: %2 __ _ WorkflowId: %3 __ _ Error: %4

Fields #

Message #

Loading workflow for execution. __ _ WorkflowId: %1

Fields #

Message #

Workflow execution finished. __ _ WorkflowId: %1

Fields #

Message #

Cancelling workflow execution. __ _ WorkflowId: %1

Fields #

Message #

Aborting workflow execution. __ _ WorkflowId: %1 __ _ Reason: %2

Fields #

Message #

Unloading workflow. __ _ WorkflowId: %1

Fields #