Microsoft-Windows-Bits-Client
114 events across 3 channels
Event ID 0 —
Event ID 1 — BITS job "Title" with ID JobGuid has been resumed.
Event ID 2 — BITS job "Title" with ID JobGuid has been suspended.
Event ID 3 — The BITS service created a new job: jobTitle, with owner jobId.
#Description
The BITS service created a new job: jobTitle, with owner jobId.
Message #
Fields #
| Name | Description |
|---|---|
jobTitle UnicodeString | Transfer job. |
jobId GUID | — |
jobOwner UnicodeString | Owner. |
processPath UnicodeString | — |
processId UInt32 | — |
ClientProcessStartKey UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 3,
"version": 3,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:45:20.897391+00:00",
"event_record_id": 432,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-3588-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 17248
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"jobTitle": "Chrome Component Updater",
"jobId": "9A25D168-24E6-4C66-AC78-5ED0E6007F1A",
"jobOwner": "WINDEV2310EVAL\\User",
"processPath": "C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.222.982.0_x64__zpdnekdrzrea0\\Spotify.exe",
"processId": 2208,
"ClientProcessStartKey": 3659174697241209
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- New BITS Job Created Via Bitsadmin source low: Detects the creation of a new bits job by Bitsadmin
- New BITS Job Created Via PowerShell source low: Detects the creation of a new bits job by PowerShell
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4 — The transfer job is complete.
#Description
The transfer job is complete.
Message #
Fields #
| Name | Description |
|---|---|
User UnicodeString | — |
jobTitle UnicodeString | Transfer job. |
jobId GUID | — |
jobOwner UnicodeString | Owner. |
fileCount UInt64 | — |
bytesTransferred UInt64 | — |
bytesTransferredFromPeer UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 4,
"version": 1,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T02:02:24.353689+00:00",
"event_record_id": 436,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-3588-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 5192
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"User": "WINDEV2310EVAL\\User",
"jobTitle": "Edge Component Updater",
"jobId": "3C77FC9E-C30A-4FC3-804B-82E48B3059B6",
"jobOwner": "WINDEV2310EVAL\\User",
"fileCount": 1,
"bytesTransferred": 201001,
"bytesTransferredFromPeer": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5 — Job cancelled.
#Description
Job cancelled. User: User, job: jobTitle, jobID: jobId, owner: jobOwner, filecount: fileCount.
Message #
Fields #
| Name | Description |
|---|---|
User UnicodeString | Job cancelled. User. |
jobTitle UnicodeString | — |
jobId GUID | — |
jobOwner UnicodeString | — |
fileCount UInt64 | — |
processId UInt32 | — |
ClientProcessStartKey UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 5,
"version": 1,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-10-25T21:23:18.455184+00:00",
"event_record_id": 20,
"correlation": {
"ActivityID": "DE03B784-07C3-0003-32C2-03DEC307DA01"
},
"execution": {
"process_id": 4816,
"thread_id": 4860
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"User": "NT AUTHORITY\\LOCAL SERVICE",
"jobTitle": "Font Download",
"jobId": "BF87B9AA-D285-46CB-89FF-C6C111F0E4CB",
"jobOwner": "NT AUTHORITY\\LOCAL SERVICE",
"fileCount": 1,
"processId": 2948,
"ClientProcessStartKey": 562949953421373
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6 — Command-line command set for job jobId with owner jobOwner.
#Description
Command-line command set for job jobId with owner jobOwner. Program: program Args: parameters.
Message #
Fields #
| Name | Description |
|---|---|
jobId GUID | — |
jobOwner UnicodeString | — |
program UnicodeString | 2. Program. |
parameters UnicodeString | Args. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 6,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-10-25T21:25:55.426533+00:00",
"event_record_id": 32,
"correlation": {
"ActivityID": "DE03B784-07C3-0003-E610-04DEC307DA01"
},
"execution": {
"process_id": 4940,
"thread_id": 5896
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"jobId": "F36CA3CE-3AEB-4592-B4ED-D23E59938DF9",
"jobOwner": "NT AUTHORITY\\SYSTEM",
"program": "C:\\Windows\\system32\\directxdatabaseupdater.exe",
"parameters": "C:\\Windows\\system32\\directxdatabaseupdater.exe -DatabaseComplete {F36CA3CE-3AEB-4592-B4ED-D23E59938DF9}"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10 — BITS started listening for peer-client requests.
Description
BITS started listening for peer-client requests.
Message #
Event ID 11 — BITS was not able to listen for peer-client requests.
Event ID 12 — BITS stopped listening for peer-client requests.
Description
BITS stopped listening for peer-client requests.
Message #
Event ID 13 — BITS started listening for peer-server announcements.
Description
BITS started listening for peer-server announcements.
Message #
Event ID 14 — BITS was not able to listen for peer-server announcements.
Event ID 15 — BITS stopped listening for peer-server announcements.
Description
BITS stopped listening for peer-server announcements.
Message #
Event ID 16 — BITS has sent an inquiry for peer servers.
Description
BITS has sent an inquiry for peer servers.
Message #
Event ID 17 — BITS has read the policy parameters for peer-caching.
Description
BITS has read the policy parameters for peer-caching.
Message #
Fields #
| Name | Description |
|---|---|
peerCacheEnabled Boolean | — |
peerClientEnabled Boolean | — |
peerServerEnabled Boolean | — |
maxPeers UInt32 | — |
maxClients UInt32 | — |
maxContentAge UInt32 | — |
maxCacheSize UInt32 | — |
minCacheDiskSize UInt32 | — |
cacheDenyUrls UnicodeString | — |
denyUrlCount UInt8 | — |
denyUrls UnicodeString | — |
Event ID 18 — The peer list rejected an incoming server announcement.
Description
The peer list rejected an incoming server announcement. This event is generated if the request is not valid, not if the server is merely in a different Windows domain.
Message #
Fields #
| Name | Description |
|---|---|
packet UnicodeString | — |
hr UInt32 | — |
fqdn UnicodeString | — |
sourceAddress Binary | — |
addressCount UInt8 | — |
addresses UnicodeString | — |
Event ID 19 — A new peer was added.
Event ID 20 — A peer was updated.
Event ID 21 — A peer was removed from the peer list.
Event ID 22 — A cached peer was restored from disk.
Event ID 23 — An application cleared the peer list.
Event ID 24 — BITS has replied to a client's inquiry for peer servers.
Event ID 25 — The server received a peer inquiry but rejected it.
Event ID 27 — A peer search for an URL has begun.
Event ID 28 — A peer search ended.
Event ID 29 — A search request is being sent.
Event ID 30 — A search request has completed.
Event ID 31 — A search request has completed unsuccessfully.
Event ID 32 — The peer's record id matched the request.
Event ID 33 — BITS updated the set of IP addresses used for peer-caching.
Event ID 34 — Job cannot be transferred because job transfer cost policy preventing it.
Description
Job cannot be transferred because job transfer cost policy preventing it. job: jobName, jobID: jobId, filecount: FileCount, jobs transfer policy: jobTransferPolicy, global transfer policy: globalTransferPolicy.
Message #
Fields #
| Name | Description |
|---|---|
jobName UnicodeString | — |
jobId GUID | — |
FileCount UInt64 | — |
jobTransferPolicy UInt32 | — |
globalTransferPolicy UInt32 | — |
Event ID 37 — The cost state has changed.
Event ID 59 — BITS started the name transfer job that is associated with the url URL.
#Description
BITS started the name transfer job that is associated with the url URL.
Message #
Fields #
| Name | Description |
|---|---|
transferId GUID | — |
name UnicodeString | — |
Id GUID | — |
url UnicodeString | — |
peer UnicodeString | — |
fileTime FILETIME | — |
fileLength UInt64 | — |
bytesTotal UInt64 | — |
bytesTransferred UInt64 | — |
bytesTransferredFromPeer UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 59,
"version": 1,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:45:21.457190+00:00",
"event_record_id": 434,
"correlation": {
"ActivityID": "837C306A-427B-4022-ABDF-56DD359EB862"
},
"execution": {
"process_id": 16164,
"thread_id": 12700
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"transferId": "837C306A-427B-4022-ABDF-56DD359EB862",
"name": "Chrome Component Updater",
"Id": "9A25D168-24E6-4C66-AC78-5ED0E6007F1A",
"url": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"peer": "",
"fileTime": "2023-09-22T20:52:50.000000Z",
"fileLength": 14317402,
"bytesTotal": 14317402,
"bytesTransferred": 0,
"bytesTransferredFromPeer": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 60 — BITS stopped transferring the name transfer job that is associated with the url URL.
#Description
BITS stopped transferring the name transfer job that is associated with the url URL. The status code is hr.
Message #
Fields #
| Name | Description |
|---|---|
transferId GUID | — |
name UnicodeString | — |
Id GUID | — |
url UnicodeString | — |
peer UnicodeString | — |
hr UInt32 | — |
fileTime FILETIME | — |
fileLength UInt64 | — |
bytesTotal UInt64 | — |
bytesTransferred UInt64 | — |
proxy UnicodeString | — |
peerProtocolFlags UInt64 | — |
bytesTransferredFromPeer UInt64 | — |
AdditionalInfoHr UInt32 | — |
PeerContextInfo UInt32 | — |
bandwidthLimit UInt64 | — |
ignoreBandwidthLimitsOnLan Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 60,
"version": 1,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:45:52.846707+00:00",
"event_record_id": 435,
"correlation": {
"ActivityID": "837C306A-427B-4022-ABDF-56DD359EB862"
},
"execution": {
"process_id": 16164,
"thread_id": 12832
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"transferId": "837C306A-427B-4022-ABDF-56DD359EB862",
"name": "Chrome Component Updater",
"Id": "9A25D168-24E6-4C66-AC78-5ED0E6007F1A",
"url": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"peer": "",
"hr": 0,
"fileTime": "2023-09-22T20:52:50.000000Z",
"fileLength": 14317402,
"bytesTotal": 14317402,
"bytesTransferred": 14317402,
"proxy": "",
"peerProtocolFlags": 0,
"bytesTransferredFromPeer": 0,
"AdditionalInfoHr": 0,
"PeerContextInfo": 0,
"bandwidthLimit": 18446744073709551615,
"ignoreBandwidthLimitsOnLan": false
},
"message": ""
}
Community Notes #
Surfaces Background Intelligent Transfer Service misuse for exfil or downloads.
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 61 — BITS stopped transferring the name transfer job that is associated with the url URL.
#Description
BITS stopped transferring the name transfer job that is associated with the url URL. The status code is hr.
Message #
Fields #
| Name | Description |
|---|---|
transferId GUID | — |
name UnicodeString | — |
Id GUID | — |
url UnicodeString | — |
peer UnicodeString | — |
hr UInt32 | — |
fileTime FILETIME | — |
fileLength UInt64 | — |
bytesTotal UInt64 | — |
bytesTransferred UInt64 | — |
proxy UnicodeString | — |
peerProtocolFlags UInt64 | — |
bytesTransferredFromPeer UInt64 | — |
AdditionalInfoHr UInt32 | — |
PeerContextInfo UInt32 | — |
bandwidthLimit UInt64 | — |
ignoreBandwidthLimitsOnLan Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 61,
"version": 1,
"level": 3,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2023-10-25T21:23:18.535833+00:00",
"event_record_id": 25,
"correlation": {
"ActivityID": "B93FF5C2-FB5D-428C-88AE-EE3A7EE94E1C"
},
"execution": {
"process_id": 4816,
"thread_id": 2800
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"transferId": "B93FF5C2-FB5D-428C-88AE-EE3A7EE94E1C",
"name": "Font Download",
"Id": "0732C691-11CC-4489-AA3A-006D80128165",
"url": "https://fs.microsoft.com/fs/windows/fontset-2017-04.json",
"peer": "",
"hr": 2149580817,
"fileTime": "1601-01-01T00:00:00.000000Z",
"fileLength": 18446744073709551615,
"bytesTotal": 18446744073709551615,
"bytesTransferred": 0,
"proxy": "",
"peerProtocolFlags": 0,
"bytesTransferredFromPeer": 0,
"AdditionalInfoHr": 0,
"PeerContextInfo": 0,
"bandwidthLimit": 18446744073709551615,
"ignoreBandwidthLimitsOnLan": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 62 — The BITS job named "Title" belonging to user Owner received inconsistent data while downloading.
Event ID 63 — The BITS job Job is configured to launch Pgm after transfer of Url.
Event ID 64 — The BITS job Job is configured to launch Pgm after transfer of Url.
Description
The BITS job Job is configured to launch Pgm after transfer of Url. The service failed to launch the program with error hr, BITS will continue trying to launch the program periodically until it succeeds.
Message #
Fields #
| Name | Description |
|---|---|
Job UnicodeString | — |
Url UnicodeString | — |
Pgm UnicodeString | — |
hr UInt32 | — |
Event ID 70 — BITS received a peer-cache request from a client at address clientAddress.
Event ID 71 — The client's search request is for "url" with timestamp timestamp.
Event ID 72 — The cache found a matching cache record with ID id.
Event ID 73 — While processing the client's request, BITS encountered error ErrorCode.
Event ID 74 — BITS rejected the client's request with HTTP status status.
Description
BITS rejected the client's request with HTTP status status.
Message #
Fields #
| Name | Description |
|---|---|
status UInt16 | — NTSTATUS reference |
Event ID 75 — BITS has finished processing the client request.
Description
BITS has finished processing the client request.
Message #
Event ID 76 — The request includes the client's event-log activity ID.
Description
The request includes the client's event-log activity ID.
Message #
Event ID 77 — BITS search for peer-servers has started.
Description
BITS search for peer-servers has started.
Message #
Event ID 78 — BITS has encountered ErrorCode error while reading the peer-cache information.
Event ID 79 — BITS has successfully deleted the peer-cache.
Description
BITS has successfully deleted the peer-cache. All the files cached until this point have been removed. The peer-cache will be re-created again as needed for handling the future requests.
Message #
Event ID 80 — BITS has successfully enabled peer-client and/or peer-server related components.
Description
BITS has successfully enabled peer-client and/or peer-server related components.
Message #
Event ID 81 — BITS has encountered ErrorCode error while starting one or more peer-client or peer-server components.
Event ID 82 — BITS accessed group policy value Title : PolicyValue.
Description
BITS accessed group policy value Title : PolicyValue.
Message #
Fields #
| Name | Description |
|---|---|
Title UnicodeString | — |
PolicyValue UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 82,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.441395+00:00",
"event_record_id": 17,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Title": "MaxTransferRateOffSchedule",
"PolicyValue": 4294967295
},
"message": ""
}
Event ID 83 — BITS defaulted group policy value Title : PolicyValue.
Description
BITS defaulted group policy value Title : PolicyValue.
Message #
Fields #
| Name | Description |
|---|---|
Title UnicodeString | — |
PolicyValue UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 83,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.345490+00:00",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Title": "DisableBranchCache",
"PolicyValue": 0
},
"message": ""
}
Event ID 101 — The peer's response to a search was invalid.
Event ID 102 — The file ranges associated with a transfer attempt
Event ID 200 — While transferring URL, BITS encountered error hr using owner as the HTTP proxy server.
Message #
Fields #
| Name | Description |
|---|---|
URL | }, {URL. |
hr UInt32 | }, {hr. |
owner UnicodeString | 3 as the HTTP proxy server. This may indicate a problem with the proxy server or with the client's network configuration. If this error occurs frequently, then an administrator should investigate. Details: {Job. |
jobid | }, {owner. |
xferId GUID | }, {jobid. |
proxyServerList UnicodeString | }, {xferId. |
url UnicodeString | — |
proxy UnicodeString | — |
job UnicodeString | — |
jobId GUID | — |
Event ID 201 — The BITS job named "job" was unable to contact any HTTP proxy server in its proxy list.
Event ID 202 — While transferring owner, BITS encountered error urlContentLength using hr as the HTTP proxy server.
Message #
Fields #
| Name | Description |
|---|---|
owner | }, {owner. |
jobId GUID | }, {jobId. |
url UnicodeString | }, {url. |
xferId GUID | }, {xferId. |
proxyServer | }, {proxyServer. |
hr UInt32 | }, {hr. |
urlContentLength | — |
urlHttpVersion | }, {urlHttpVersion. |
urlRange | }, {urlRange. |
jobName UnicodeString | — |
jobOwner UnicodeString | — |
proxy UnicodeString | — |
fileLength UInt64 | — |
HTTPVersion UnicodeString | — |
URLRange UnicodeString | — |
Event ID 203 — The BITS service provided job credentials in response to an authentication challenge from the server server for the job transfer job that is associated ...
Description
The BITS service provided job credentials in response to an authentication challenge from the server server for the job transfer job that is associated with the following URL: url.
Message #
Fields #
| Name | Description |
|---|---|
server UnicodeString | — |
job UnicodeString | — |
url UnicodeString | — |
scheme UnicodeString | — |
user UnicodeString | — |
Event ID 204 — The BITS service provided job credentials in response to an authentication challenge from server for job job, url url.
Description
The BITS service provided job credentials in response to an authentication challenge from server for job job, url url. The credentials were rejected.
Message #
Fields #
| Name | Description |
|---|---|
server UnicodeString | — |
job UnicodeString | — |
url UnicodeString | 2 transfer job that is associated with the following URL. |
scheme UnicodeString | — |
user UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 204,
"version": 1,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-14T22:56:18.815891+00:00",
"event_record_id": 443,
"correlation": {},
"execution": {
"process_id": 9052,
"thread_id": 6016
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"server": "outlook.office365.com",
"job": "Microsoft Outlook Offline Address Book 9bcc1d66a60a9745b5d797f23d8b2f80",
"url": "/OAB/1e7ad0fe-e5d2-428b-a1de-bd1a0d0e6cb9/oab.xml",
"scheme": "UNIDENTIFIED",
"user": "S-1-5-21-1006758700-2167138679-1475694448-1105"
},
"message": ""
}
Event ID 205 — A bandwidth slot transition occurred.
Event ID 206 — The URL "url" in BITS job "jobName" does not support the HTTP HEAD verb, which is required for BITS bandwidth throttling.
Event ID 207 — The URL "url" in BITS job "jobName" does not support the HTTP Content-Length header, which is required for BITS bandwidth throttling.
Event ID 208 — A flash-Crowd situation is detected for the URL "url" in BITS job "jobName".
Event ID 209 — High performance property for BITS job "jobName" with ID "jobId" isRoaming.
#Description
High performance property for BITS job "jobName" with ID "jobId" isRoaming.
Message #
Fields #
| Name | Description |
|---|---|
jobName UnicodeString | — |
jobId GUID | — |
isRoaming UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 209,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:27:06.012810+00:00",
"event_record_id": 121,
"correlation": {
"ActivityID": "F590C418-1079-0000-98E3-90F57910DA01"
},
"execution": {
"process_id": 5620,
"thread_id": 4004
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"jobName": "Font Download",
"jobId": "45827C8A-7310-400E-A51E-179189C5AC76",
"isRoaming": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 210 — The URL "url" in BITS job "jobName" does not support the HTTP Content-Range header, which is required for BITS bandwidth throttling.
Event ID 211 — BITS job "Title" with ID "JobGuid" encountered an error ErrorCode.
Event ID 212 — BITS service has detected a 'SystemEvent' system event.
Description
BITS service has detected a 'SystemEvent' system event.
Message #
Fields #
| Name | Description |
|---|---|
SystemEvent UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 212,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.656795+00:00",
"event_record_id": 22,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8132
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SystemEvent": 7
},
"message": ""
}
Event ID 213 — Job is not currently transferring because one of its transfer policies conflicts with current system state.
Description
Job is not currently transferring because one of its transfer policies conflicts with current system state. job: jobName, jobID: jobId, filecount: FileCount, block reason: BlockReasonErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
jobName UnicodeString | — |
jobId GUID | — |
FileCount UInt64 | — |
BlockReasonErrorCode UInt32 | — |
Event ID 281 — The service is generating its common global data.
Description
The service is generating its common global data.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 281,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.303306+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 282 — The service is reading its group policy settings.
Description
The service is reading its group policy settings.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 282,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.344992+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 283 — The service is creating its performance counters.
Description
The service is creating its performance counters.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 283,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.302664+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 284 — The service is searching for gateway devices.
Description
The service is searching for gateway devices.
Message #
Event ID 285 — The service is starting the peer-caching client.
Description
The service is starting the peer-caching client.
Message #
Event ID 286 — The service is starting the peer-caching server.
Description
The service is starting the peer-caching server.
Message #
Event ID 287 — The service is reading the job list from the disk.
Description
The service is reading the job list from the disk.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 287,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.441546+00:00",
"event_record_id": 20,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 288 — The service is updating its list of active network connections.
Description
The service is updating its list of active network connections.
Message #
Event ID 289 — The service is updating its list of logged-in users.
Description
The service is updating its list of logged-in users.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 289,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.584106+00:00",
"event_record_id": 21,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 290 — The service is creating the Volume Shadow Copy writer.
Description
The service is creating the Volume Shadow Copy writer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 290,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.701261+00:00",
"event_record_id": 24,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 291 — The service is registering its COM objects.
Description
The service is registering its COM objects.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 291,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.769863+00:00",
"event_record_id": 25,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 301 — The BITS service has started successfully.
Description
The BITS service has started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 301,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.781430+00:00",
"event_record_id": 29,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 302 — The BITS service has started successfully, but it was delayed long enough that there may be a problem.
Message #
Event ID 303 — The peer-cache client startup phase of startup has completed.
Description
The peer-cache client startup phase of startup has completed.
Message #
Event ID 304 — The service is shutting down.
Description
The service is shutting down.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 304,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:25:56.771683+00:00",
"event_record_id": 30,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 305 — The service shutdown is complete.
Description
The service shutdown is complete.
Message #
Event ID 306 — The BITS service loaded the job list from disk.
#Description
The BITS service loaded the job list from disk.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 306,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T00:47:39.589942+00:00",
"event_record_id": 416,
"correlation": {},
"execution": {
"process_id": 16164,
"thread_id": 16220
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 307 — It took number seconds to write a change file to the BITS job list.
Event ID 308 — The BITS service shut down successfully, but it was delayed for number seconds.
#Message #
Fields #
| Name | Description |
|---|---|
number Double | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 308,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2021-06-13T06:19:28.351119Z",
"event_record_id": 17,
"correlation": {
"#attributes": {
"ActivityID": "9E13646C-6014-0001-5C6E-139E1460D701"
}
},
"execution": {
"process_id": 1140,
"thread_id": 356
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "sv-dc.hinokabegakure-no-sato.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"number": "3199.234"
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 309 — The BITS peer cache was unable to find any peers in the network.
Description
The BITS peer cache was unable to find any peers in the network.
Message #
Event ID 310 — The initialization of the peer helper modules failed with the following error: ErrorCode.
#Description
The initialization of the peer helper modules failed with the following error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | The initialization of the peer helper modules failed with the following error. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 310,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T00:48:24.805665+00:00",
"event_record_id": 419,
"correlation": {},
"execution": {
"process_id": 16164,
"thread_id": 15644
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ErrorCode": 2147942450
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 311 — The BITS peer transfer with the JobId ID for the JobName transfer job resulted in the following error: ErrorCode.
Description
The BITS peer transfer with the JobId ID for the JobName transfer job resulted in the following error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
JobId GUID | — |
JobName UnicodeString | — |
url UnicodeString | — |
ErrorCode UInt32 | — |
ErrorContext UInt8 | — |
bytesTransferredFromPeer UInt64 | — |
PeerProtocolFlags UInt64 | — |
Event ID 312 — The Network List Manager Cost Interface is not available on this system.
Event ID 313 — The Network List Manager Cost Interface is reporting no network connectivity.
Event ID 16384 — The administrator User canceled job "Title" on behalf of Owner.
Event ID 16385 — While canceling job "Title", BITS was unable to remove some temporary files.
Event ID 16386 — While canceling job "Title", BITS was unable to remove some temporary files.
Event ID 16387 — The administrator Owner modified the PropertyName property of job "Title".
Event ID 16388 — The administrator User took ownership of job "Title" from Owner.
Event ID 16389 — Job "Title" owned by Owner was canceled after being inactive for more than DayCount days.
Event ID 16390 — Job "Title" owned by Owner failed to notify its associated application.
Event ID 16391 — The BITS job list is not in a recognized format.
Description
The BITS job list is not in a recognized format. It may have been created by a different version of BITS. The job list has been cleared.
Message #
Event ID 16392 — The BITS service failed to start.
Description
The BITS service failed to start. Error ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 16392,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2025-12-31T19:34:50.503454+00:00",
"event_record_id": 319,
"correlation": {
"ActivityID": "159FE9D7-7A73-0001-5538-A015737ADC01"
},
"execution": {
"process_id": 7452,
"thread_id": 1064
},
"channel": "System",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ErrorCode": 2147943515
},
"message": ""
}
Event ID 16393 — BITS has encountered an error communicating with an Internet Gateway Device.
Event ID 16394 — BITS Peer-caching protocol
Description
BITS Peer-caching protocol.
Message #
Event ID 16395 — Web Services-Discovery protocol
Description
Web Services-Discovery protocol.
Message #
Event ID 16396 — Error status occurred when BITS tried to change the state of firewall rule "rule" to enabled.
Description
Error status occurred when BITS tried to change the state of firewall rule "rule" to enabled. Restarting the BITS service may correct the problem.
Message #
Fields #
| Name | Description |
|---|---|
rule UnicodeString | — |
enabled Boolean | — |
status UInt32 | — NTSTATUS reference |
Event ID 16397 — The Per-user job limit specified through Group Policy must be less than or equal to Per-computer job Limit.
Event ID 16398 — A new BITS job could not be created.
Event ID 16400 — A new BITS job could not be created.
Event ID 16401 — BITS could not add file(s) to entityName job.
Event ID 16402 — BITS could not add ranges to entityName file.
Event ID 16403 —
#Fields #
| Name | Description |
|---|---|
User UnicodeString | — |
jobTitle UnicodeString | — |
jobId GUID | — |
jobOwner UnicodeString | — |
fileCount UInt64 | — |
RemoteName UnicodeString | — |
LocalName UnicodeString | — |
processId UInt32 | — |
ClientProcessStartKey UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 16403,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:45:21.024078+00:00",
"event_record_id": 433,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-3588-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 18264
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"User": "WINDEV2310EVAL\\User",
"jobTitle": "Chrome Component Updater",
"jobId": "9A25D168-24E6-4C66-AC78-5ED0E6007F1A",
"jobOwner": "WINDEV2310EVAL\\User",
"fileCount": 1,
"RemoteName": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"LocalName": "C:\\Users\\User\\AppData\\Local\\Temp\\chrome_BITS_2208_583787314\\oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"processId": 2208,
"ClientProcessStartKey": 3659174697241209
},
"message": ""
}
Community Notes #
May indicate download/staging. See this Google Cloud post Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- BITS Transfer Job Downloading File Potential Suspicious Extension source medium: Detects new BITS transfer job saving local files with potential suspicious extensions
- BITS Transfer Job Download From File Sharing Domains source high: Detects BITS transfer job downloading files from a file sharing domain.
- BITS Transfer Job Download From Direct IP source high: Detects a BITS transfer job downloading file(s) from a direct IP address.
Show 2 more (5 total)
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD source medium: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
- BITS Transfer Job Download To Potential Suspicious Folder source high: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline