Microsoft-Windows-WinRM

326 events across 4 channels

Event ID	Title	Channel
2	Initializing WSMan API	Operational
3	Initialization of WSMan API failed, error code %1.	Operational
4	Deinitializing WSMan API	Operational
5	Deinitialization of WSMan API failed, error code %1.	Operational
6	Creating WSMan Session.	Operational
7	WSMan Create Session operation failed, error code %1.	Operational
8	Closing WSMan Session	Operational
9	Closing WSMan Session failed, error code %1.	Operational
10	Setting WSMan Session Option (%1) - %2 with value (%3) completed successfully.	Operational
11	Creating WSMan shell with the ResourceUri: %1 and ShellId: %2.	Operational
12	WSMan shell creation failed, error code %1.	Operational
13	Running WSMan command with CommandId.	Operational
14	Running WSMan command failed, error code %1.	Operational
15	Closing WSMan command	Operational
16	Closing WSMan shell	Operational
17	Signaling WSMan shell	Operational
18	Signaling WSMan shell; error code {errorCode}.	Operational
19	Closing WSMan operation	Operational
20	Sending input to the shell	Operational
21	Sending input operation failed; error code {errorCode}.	Operational
22	Calling into WSMan to receive output from the shell	Operational
23	WSMan receive operation failed; error code {errorCode}.	Operational
24	Calling into WSMan to receive output from the command	Operational
26	Getting message for error code {inputErrorCode} completed successfully.	Operational
27	Getting WSMan Session Option ({optionCode}).	Operational
28	Access Denied error: the %1 API caller does not match the creator of the …	Operational
29	Initialization of WSMan API completed successfuly	Operational
30	Deinitialization of WSMan API completed successfuly	Operational
31	WSMan Create Session operation completed successfuly	Operational
32	Setting WSMan Session Option (%1) - %2 failed, error code %3.	Operational
33	Closing WSMan Session completed successfuly	Operational
34	Getting message for error code {inputErrorCode} failed; the resulting error code …	Operational
35	Signaling WSMan command failed; error code {errorCode}.	Operational
36	Signaling WSMan command	Operational
37	Closing WSMan shell failed, error code %1.	Operational
38	Closing WSMan command failed, error code %1.	Operational
39	Closing WSMan {operationName} operation completed successfully.	Operational
40	Closing WSMan %1 operation failed, error code %2.	Operational
41	The WinRM protocol handler has began loading for application %1.	Operational
42	The WinRM protocol handler completed unloading.	Operational
43	The WinRM protocol handler unloaded prematurely due to the following error.	Operational
44	The WinRM protocol handler started to create a session at the following …	Operational
45	The WinRM protocol handler closed the session.	Operational
46	The WinRM protocol session closed prematurely due to the following error.	Operational
47	The WinRM protocol session began an operation of type %1 to the server.	Operational
48	The WinRM protocol session successfully completed the operation.	Operational
49	The WinRM protocol operation failed due to the following error.	Operational
64	Auto-detecting proxy settings	Operational
65	Proxy AutoDetect done.	Operational
66	Setting proxy info Proxy list: {proxyList} Bypass list: {bypassList}.	Operational
80	Sending the request for operation {operationName} to destination machine and …	Operational
81	Processing client request for operation {operationName}.	Operational
82	Entering the plugin for operation {operation} with a ResourceURI of …	Operational
83	Leaving the plugin for operation {operation}.	Operational
84	The maximum number of users executing shell operations has been exceeded.	Operational
85	The %1 user is allowed a maximum number of %2 concurrent shells, which has been …	Operational
86	The WSMan service could not launch a host process to process the given request.	Operational
87	The WSMan host process was unexpectedly terminated.	Operational
90	RunAs was disabled by Group Policy; WSMan service has erased all RunAs …	Operational
91	Creating WSMan shell on server with ResourceUri.	Operational
129	Received the response from Network layer; status: {status}.	Operational
130	Received the response from Network layer; status: {status}.	Operational
131	Received redirect status code from Network layer; status: 302 …	Operational
132	WSMan operation %1 completed successfully.	Operational
133	Sending response error packet for ActionURI: {actionUri}.	Operational
134	Sending response for operation {operationName}.	Operational
135	Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT, using next …	Operational
136	Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED, using …	Operational
137	Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot …	Operational
138	The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)	Operational
139	The client got a login failure from the network layer …	Operational
140	Sending HTTP error back to the client due to a transport failure.	Operational
141	Sending timeout response for operation: {operationName}.	Operational
142	WSMan operation %1 failed, error code %2.	Operational
143	Received the response from Network layer; status: 200 (HTTP_STATUS_OK)	Operational
145	WSMan operation %1 started with resourceUri %2.	Operational
160	Authenticating the user using {authentication} mechanism.	Operational
161		Operational
162	Authenticating the user failed.	Operational
163	The authentication mechanism requested by the client is not supported by the …	Operational
164	The destination computer returned an 'access denied' error.	Operational
165	The authentication mechanism requested by the proxy is not supported by the …	Operational
166	The chosen authentication mechanism is {auth}.	Operational
168	Sending HTTP 401 response to the client and disconnect the connection after …	Operational
169		Operational
170	The authentication using client certificate with subject {subject} done …	Operational
171	Authenticating the user with the proxy failed.	Operational
172	The server certificate on the destination computer (%1:%2) has the following …	Operational
173	The WinRM service has terminated %1 unauthenticated connections over the past %2 …	Operational
192	The authorization of the user failed with error %1.	Operational
193	Request for user %1 (%2) will be executed using WinRM virtual account %3 (%4).	Operational
194	The authorization of the user failed with error {errorCode}.	Operational
208	The Winrm service is starting	Operational
209	The Winrm service started successfully	Operational
210	The WinRM service is unable to start because of a failure during initialization.	Operational
211	The Winrm service is stopping	Operational
212	The Winrm service was stopped successfully	Operational
213	The WSMan service could not load current configuration settings as the settings …	Operational
214	The WSMan client could not load current configuration settings as the settings …	Operational
215	The WSMan service failed to read configuration of the following plugin.	Operational
216	The WSMan service failed to restart the plugins marked for AutoRestart.	Operational
217	The WSMan service failed to restart the %1 plugin on service startup.	Operational
218	The WSMan service successfully restarted the following plugin on service …	Operational
219	The WSMan shell instance %1 will no longer support disconnect reconnect …	Operational
224		Operational
229	The WinRM %1 failed to register for group policy change notifications.	Operational
230	Deletion of registry key %1 resulted in access denied.	Operational
254	Activity Transfer	Operational
255	Activity Transfer	Analytic
257	Initializing WSMan API	Analytic
258	Initialization of WSMan API failed; error code {errorCode}.	Analytic
259	Deinitializing WSMan API	Analytic
260	Deinitialization of WSMan API failed; error code {errorCode}.	Analytic
261	Creating WSMan Session.	Analytic
262	WSMan Create Session operation failed; error code {errorCode}.	Analytic
263	Closing WSMan Session	Analytic
264	Closing WSMan Session failed; error code {errorCode}.	Analytic
265	Setting WSMan Session Option ({optionCode}) with value ({optionValue}) completed …	Analytic
266	Creating WSMan shell with the ResourceUri: {resourceUri}.	Analytic
267	WSMan shell creation failed; error code {errorCode}.	Analytic
268	Running WSMan command	Analytic
269	Running WSMan command failed; error code {errorCode}.	Analytic
270	Closing WSMan command	Analytic
271	Closing WSMan shell	Analytic
272	Signaling WSMan shell	Analytic
273	Signaling WSMan shell; error code {errorCode}.	Analytic
274	Closing WSMan operation	Analytic
275	Sending input to the shell	Analytic
276	Sending input operation failed; error code {errorCode}.	Analytic
277	Calling into WSMan to receive output from the shell	Analytic
278	WSMan receive operation failed; error code {errorCode}.	Analytic
279	Calling into WSMan to receive output from the command	Analytic
280	Getting message for error code {inputErrorCode} completed successfully.	Analytic
281	Getting WSMan Session Option ({optionCode}).	Analytic
282	Access Denied error: the {apiCall} API caller does not match the creator of the …	Analytic
283	Plug-in reporting context for operation %1.	Analytic
284	Plug-in reporting data object for operation %1.	Analytic
285	Plug-in reporting data object and EPR for operation %1.	Analytic
286	Plug-in reporting data object and bookmark for operation %1.	Analytic
287	Plug-in reporting data for operation Receive	Analytic
288	Plug-in reporting operation complete for %1.	Analytic
289	Plug-in getting operational information for parameter %1 and operation %2.	Analytic
290	Plug-in reporting the authorization for user %1 completed with error code %2.	Analytic
291	Plug-in reporting the authorization operation completed with error %1 for …	Analytic
292	Updating the quota for the user %1 with error code %2 …	Analytic
293	Initialization of WSMan API completed successfuly	Analytic
294	Deinitialization of WSMan API completed successfuly	Analytic
295	WSMan Create Session operation completed successfuly	Analytic
296	Setting WSMan Session Option ({optionCode}) failed; error code {errorCode}.	Analytic
297	Closing WSMan Session completed successfuly	Analytic
298	Getting message for error code {inputErrorCode} failed; the resulting error code …	Analytic
299	Signaling WSMan command failed; error code {errorCode}.	Analytic
300	Signaling WSMan command	Analytic
301	Closing WSMan shell failed; error code {errorCode}.	Analytic
302	Closing WSMan command failed; error code {errorCode}.	Analytic
303	Closing WSMan {operationName} operation completed successfully.	Analytic
304	Closing WSMan {operationName} operation failed; error code {errorCode}.	Analytic
305	Sending input to the command	Analytic
306	The WinRM service loaded the following plugin: %1 (%2).	Analytic
307	The WinRM service unloaded the following plugin: %1 (%2).	Analytic
308	The plugin called WSManPluginGetConfiguration with the parameter %1 and obtained …	Analytic
309	The plugin called WSManPluginReportCompletion with the parameter %1 and obtained …	Analytic
310	The plugin %1 is being shut down because it was idle for longer than the …	Analytic
311	Signaling WSMan command failed, error code %1.	Analytic
312	Signaling WSMan command	Analytic
313	Sending input to the command	Analytic
314	Sending input to the shell	Analytic
315	Sending input operation failed, error code %1.	Analytic
316	Calling into WSMan to receive output from the shell	Analytic
317	WSMan receive operation failed, error code %1.	Analytic
318	Calling into WSMan to receive output from the command	Analytic
319	Getting message for error code %1 completed successfully.	Analytic
320	Getting WSMan Session Option (%1) - %2.	Analytic
321	Signaling WSMan shell	Analytic
322	Signaling WSMan shell, error code %1.	Analytic
323	Closing WSMan operation	Analytic
324	Closing WSMan %1 operation completed successfully.	Analytic
325	Disconnecting shell with Id.	Analytic
326	Disconnecting shell failed, error code %1.	Analytic
327	Reconnecting shell with Id.	Analytic
328	Reconnecting shell failed, error code %1.	Analytic
329	Connecting shell with Id.	Analytic
330	Connecting shell failed, error code %1.	Analytic
331	Reconnecting shell command with Id.	Analytic
332	Reconnecting shell command failed, error code %1.	Analytic
333	Connecting shell command with Id.	Analytic
334	Connecting shell command failed, error code %1.	Analytic
512	Auto-detecting proxy settings	Analytic
513	Proxy AutoDetect done.	Analytic
514	Setting proxy info Proxy list: %1 Bypass list: %2.	Analytic
768	Processing client request for operation {operationName}.	Analytic
769	Entering the plugin for operation {operation} with a ResourceURI of …	Analytic
770	Leaving the plugin for operation {operation}.	Analytic
771	SOAP [client sending index %1 of %2 total chunks (%3 bytes)] %4.	Analytic
772	SOAP [listener receiving index %1 of %2 total chunks (%3 bytes)] %4.	Analytic
773	The {senderName} user is allowed a maximum number of {concurrentShells} …	Analytic
774	The %1 user is allowed a maximum number of %2 concurrent operations, which has …	Analytic
775	The user load quota of %1 requests per %2 seconds has been exceeded.	Analytic
776	The system load quota of %1 requests per %2 seconds has been exceeded.	Analytic
777	The maximum number of users ({users}) executing shell operations has been …	Analytic
778	Sending the request for operation {operationName} to destination machine and …	Analytic
779	SOAP [client sending index %1 of %2 total chunks (%3 bytes)] %4.	Analytic
780	The WinRM %1 has encountered network connectivity issues.	Analytic
781	The WinRM Client is attempting to re-establish a network connection.	Analytic
782	The WinRM Service has detected a new network connection from the client.	Analytic
783	The WinRM %1 has successfully re-established a network connection.	Analytic
784	The WinRM %1 failed to re-establish a network connection and is reporting a …	Analytic
785	The WSMan host process was started for user %1.	Analytic
786	The WSMan host process was terminated for user %1.	Analytic
787	Sending the request for operation %1 to destination machine and port %2:%3.	Analytic
788	Processing client request for operation %1.	Analytic
789	Entering the plugin for operation %1 with a ResourceURI of <%2>.	Analytic
790	Leaving the plugin for operation %1.	Analytic
791	The WinRM service failed to enumerate DASH/SMASH specifications with MI error.	Analytic
1024	Sending response for operation {operationName}.	Analytic
1025	Sending response error packet for ActionURI.	Analytic
1026	SOAP [client receiving index %1 of %2 total chunks (%3 bytes)] %4.	Analytic
1027	SOAP [listener sending index %1 of %2 total chunks (%3 bytes)] %4.	Analytic
1028	Received the response from Network layer; status: {status}.	Analytic
1029	Received the response from Network layer; status: {status}.	Analytic
1030	Received redirect status code from Network layer; status: 302 …	Analytic
1031	WSMan operation {operationName} completed successfully.	Analytic
1032	Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT; using next …	Analytic
1033	Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED; using …	Analytic
1034	Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot …	Analytic
1035	The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)	Analytic
1036	The client got a login failure from the network layer …	Analytic
1037	The WSMan service could not launch a host process to process the given request.	Analytic
1038	The WSMan host process was unexpectedly terminated.	Analytic
1039	Sending HTTP error back to the client due to a transport failure.	Analytic
1040	Sending timeout response for operation: {operationName}.	Analytic
1041	Enumeration is shutting down	Analytic
1042	WSMan operation {operationName} failed; error code {errorCode}.	Analytic
1043	Subscription is shutting down	Analytic
1044	SOAP [listener sending index %1 of %2 total chunks (%3 bytes)] %4.	Analytic
1045	Received the response from Network layer; status: 200 (HTTP_STATUS_OK)	Analytic
1046	An extended semantics callback timed out for the %1 operation.	Analytic
1047	Received the response from Network layer; status.	Analytic
1048	Sending HTTP error back to the client due to a transport failure.	Analytic
1049	Sending timeout response for operation.	Analytic
1050	Sending response for operation %1.	Analytic
1051	Received the response from Network layer; status.	Analytic
1052	WSMan operation %1 completed successfully.	Analytic
1053	WSMan operation %1 got suspended because of WSMan Shell disconnection.	Analytic
1054	WSMan operation %1 resuming because of WSMan Shell reconnection.	Analytic
1280	Sending HTTP 401 response to the client and disconnect the connection after …	Analytic
1281	User {username} authenticated successfully using {authenticationMechanism} …	Analytic
1282	The authentication using client certificate with subject {subject} done …	Analytic
1283	Authenticating the user using {authentication} mechanism.	Analytic
1285	Authenticating the user failed.	Analytic
1286	The authentication mechanism ({authClient}) requested by the client is not …	Analytic
1287	The destination computer ({destinationMachine}) returned an 'access denied' …	Analytic
1288	The authentication mechanism requested by the proxy is not supported by the …	Analytic
1289	The chosen authentication mechanism is {auth}.	Analytic
1291	Network layer AutoLogon policy was set to Low as a result of a HTTP 401 response …	Analytic
1292	Network layer AutoLogon policy was set to High	Analytic
1293	The chosen authentication mechanism is %1.	Analytic
1294	Sending HTTP 401 response to the client and disconnect the connection after …	Analytic
1295	User %1 authenticated successfully using %2 authentication.	Analytic
1296	The authentication using client certificate with subject %1 done successfully.	Analytic
1297	Authenticating the user using %1 mechanism.	Analytic
1536	Authorizing the user	Analytic
1537	The authorization of the user was done successfully	Analytic
1538	The authorization of the user failed with error {errorCode}.	Analytic
1792	The Winrm service is starting	Analytic
1793	The Winrm service started successfully	Analytic
1794	The WinRM service is unable to start because of a failure during initialization.	Analytic
1795	The Winrm service is stopping	Analytic
1796	The Winrm service was stopped successfully	Analytic
1797	The WSMan service could not load current configuration settings as the settings …	Analytic
1798	The WSMan client could not load current configuration settings as the settings …	Analytic
1799	The WSMan service failed to read configuration of the following plugin: …	Analytic
1808		Analytic
1840	An error was encountered while processing an operation.	Analytic
1841	An error was encountered while processing an operation.	Analytic
1842	Extra information.	Analytic
1843	An unauthenticated connection from client %1 is terminated.	Analytic
2048	[Filename:- %1; Line:- %2; Function:- %3;] %4.	Debug
2049	[Filename:- %1; Line:- %2; Function:- %3; ErrorCode:- %4] %5.	Debug
10148		System
10149		System
10154		System
468853	The WinRM service is not listening for requests since it failed to listen on at …	Operational
468854	The WinRM service is not listening for %1 requests because there was a failure …	Operational
468855	The WS-Management client is not listening for pushed events because there was a …	Operational
468856	The WinRM service is not listening for HTTPS requests because there was a …	Operational
468857	The WS-Management client is not listening for pushed events because there was a …	Operational
468862	The WinRM service cannot validate the client certificate because the revocation …	Operational
468863	User authentication using Basic authentication scheme failed.	Operational
468864	The client certificate exceeded the maximum size allowed by the WinRM service.	Operational
468865	Request processing failed because the WinRM service cannot load data or event …	Operational
468866	The SSL configuration for IP %1 and port %2 is shared with another service, such …	Operational
468871	The WinRM service is unable to start because of a failure during initialization.	Operational
468872	The WinRM service has received an unsecure HTTP connection from %1.	Operational
468873	The WinRM service has been configured to accept basic authentication for …	Operational
468880	The WinRM service is not listening for HTTP requests because there was a failure …	Operational
468881	The WS-Management client is not listening for pushed events because there was a …	Operational
468882	IP Filter %1 specified in the GPO policy for Auto Configuration of listeners is …	Operational
468883	The IP Range %1 is invalid and it will be ignored.	Operational
468884	The WinRM service is not listening for policy changes because there was a …	Operational
468888	The WinRM service encountered a catastrophic security failure.	Operational
468889	The WinRM service cannot migrate the listener with IP address %1 and Port %2 …	Operational
468890	The WinRM service cannot migrate the listener with Address %1 and Transport %2 …	Operational
468891	The WinRM service cannot migrate the listener with IP address %1 and Port %2 …	Operational
468892	The WinRM service cannot migrate the listener with Address %1 and Transport %2 …	Operational
468893	The WinRM service cannot migrate the listener with IP address %1, Port %2 and …	Operational
468894	The WinRM service cannot migrate the listener with Address %1 and Transport %2.	Operational
468895	The WinRM service had a failure during migration.	Operational
468896	The WinRM service had a failure reading the current configuration and is …	Operational
468897	The WinRM service had a failure applying the current configuration and is …	Operational
468898	The WinRM service had a failure reading the current configuration and is …	Operational
468899	The host name pattern ".	Operational
468900	The WinRM service is listening for WS-Management requests.	Operational
468901	The WinRM service is not listening for WS-Management requests.	Operational
468902	The WinRM service could not use the following listener to receive WS-Management …	Operational
468903	The WinRM service had a failure reading configuration during ip address change …	Operational
468904	The WinRM service successfully processed an address change notification.	Operational
468905	The WSMan IIS module failed to read configuration.	Operational
468906	The WinRM service failed to create the following SPNs: %1; %2.	Operational
468907	The WSMan service failed to read configuration of the following plugin.	Operational
468908	The WinRM service failed to initialize CredSSP.	Operational
468909	The WinRM service received an error while trying to unloading a data or event …	Operational
468910	The WinRM service is listening on the default %1 port %2 and on %1 …	Operational
468911	The WinRM service has terminated %1 unauthenticated connections over the past %2 …	Operational
3221734403	The WinRM service is stopping because there was a failure registering for …	Operational
3221734404	The WinRM service is stopping because there was a failure registering for …	Operational

Event ID 2 — Initializing WSMan API

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Initializing WSMan API

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 2
  version: 0
  level: 4
  task: 1
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:21:29.458003+00:00'
  event_record_id: 96
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4780
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3 — Initialization of WSMan API failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Initialization of WSMan API failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 4 — Deinitializing WSMan API

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Deinitializing WSMan API

Event ID 5 — Deinitialization of WSMan API failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Deinitialization of WSMan API failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 6 — Creating WSMan Session.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Creating WSMan Session. The connection string is: %1

Fields

Name	Description
`connection`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 6
  version: 0
  level: 4
  task: 3
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:21:29.465878+00:00'
  event_record_id: 98
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4780
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  connection: localhost:47001/WSMan?MSP=7a83d074-bb86-4e52-aa3e-6cc73cc066c8;PSVersion=5.1.20348.617
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/winrm/events
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7 — WSMan Create Session operation failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

WSMan Create Session operation failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 8 — Closing WSMan Session

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Closing WSMan Session

Event ID 9 — Closing WSMan Session failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Closing WSMan Session failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 10 — Setting WSMan Session Option (%1) - %2 with value (%3) completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Setting WSMan Session Option (%1) - %2 with value (%3) completed successfully.

Fields

Name	Description
`optionCode`	—
`optionName`	—
`optionValue`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 10
  version: 0
  level: 4
  task: 5
  opcode: 0
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:21:29.476896+00:00'
  event_record_id: 106
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4780
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  optionCode: 16
  optionName: WSMAN_OPTION_TIMEOUTMS_SIGNAL_SHELL
  optionValue: '60000'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 11 — Creating WSMan shell with the ResourceUri: %1 and ShellId: %2.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Creating WSMan shell with the ResourceUri: %1 and ShellId: %2

Fields

Name	Description
`resourceUri`	—
`shellId`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 11
  version: 0
  level: 4
  task: 5
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:21:29.628784+00:00'
  event_record_id: 107
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4780
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  resourceUri: http://schemas.microsoft.com/powershell/Microsoft.Windows.ServerManagerWorkflows
  shellId: 1480B89F-E871-42E4-BFB4-C8F88B053137
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 12 — WSMan shell creation failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

WSMan shell creation failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 13 — Running WSMan command with CommandId.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Running WSMan command with CommandId: %1

Fields

Name	Description
`commandId`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 13
  version: 0
  level: 4
  task: 5
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:21:40.298938+00:00'
  event_record_id: 111
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4100
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  commandId: 69F6EC7D-1A5C-485B-B375-C500E469097C
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 14 — Running WSMan command failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Running WSMan command failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 15 — Closing WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Closing WSMan command

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 15
  version: 0
  level: 4
  task: 5
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:21:43.025520+00:00'
  event_record_id: 112
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 940
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 16 — Closing WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Closing WSMan shell

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 16
  version: 0
  level: 4
  task: 5
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2022-04-07T08:14:07.049150+00:00'
  event_record_id: 63
  correlation:
    ActivityID: DD7B0B6A-4A9E-0001-93A4-7BDD9E4AD801
  execution:
    process_id: 1460
    thread_id: 3116
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 17 — Signaling WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Signaling WSMan shell

Event ID 18 — Signaling WSMan shell; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Signaling WSMan shell; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 19 — Closing WSMan operation

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Closing WSMan operation

Event ID 20 — Sending input to the shell

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Sending input to the shell

Event ID 21 — Sending input operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Sending input operation failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 22 — Calling into WSMan to receive output from the shell

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Calling into WSMan to receive output from the shell

Event ID 23 — WSMan receive operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

WSMan receive operation failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 24 — Calling into WSMan to receive output from the command

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Calling into WSMan to receive output from the command

Event ID 26 — Getting message for error code {inputErrorCode} completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Getting message for error code {inputErrorCode} completed successfully. The languageCode parameter was: {languageCode}

Fields

Name	Description
`inputErrorCode`	—
`languageCode`	—

Event ID 27 — Getting WSMan Session Option ({optionCode}).

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Getting WSMan Session Option ({optionCode})

Fields

Name	Description
`optionCode`	—

Event ID 28 — Access Denied error: the %1 API caller does not match the creator of the application object.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Access Denied error: the %1 API caller does not match the creator of the application object

Fields

Name	Description
`apiCall`	—

Event ID 29 — Initialization of WSMan API completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Initialization of WSMan API completed successfuly

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 29
  version: 0
  level: 4
  task: 1
  opcode: 2
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:21:29.458595+00:00'
  event_record_id: 97
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4780
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 30 — Deinitialization of WSMan API completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Deinitialization of WSMan API completed successfuly

Event ID 31 — WSMan Create Session operation completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

WSMan Create Session operation completed successfuly

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 31
  version: 0
  level: 4
  task: 3
  opcode: 2
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:21:29.472808+00:00'
  event_record_id: 99
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4780
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 32 — Setting WSMan Session Option (%1) - %2 failed, error code %3.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Setting WSMan Session Option (%1) - %2 failed, error code %3.

Fields

Name	Description
`optionCode`	—
`optionName`	—
`errorCode`	—

Event ID 33 — Closing WSMan Session completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Closing WSMan Session completed successfuly

Event ID 34 — Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}

Fields

Name	Description
`inputErrorCode`	—
`errorCode`	—

Event ID 35 — Signaling WSMan command failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Signaling WSMan command failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 36 — Signaling WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Signaling WSMan command

Event ID 37 — Closing WSMan shell failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Closing WSMan shell failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 38 — Closing WSMan command failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Closing WSMan command failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 39 — Closing WSMan {operationName} operation completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Closing WSMan {operationName} operation completed successfully

Fields

Name	Description
`operationName`	—

Event ID 40 — Closing WSMan %1 operation failed, error code %2.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Closing WSMan %1 operation failed, error code %2

Fields

Name	Description
`operationName`	—
`errorCode`	—

Event ID 41 — The WinRM protocol handler has began loading for application %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

The WinRM protocol handler has began loading for application %1.

Fields

Name	Description
`applicationID`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 41
  version: 0
  level: 4
  task: 14
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:21:54.064765+00:00'
  event_record_id: 113
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4780
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  applicationID: ServerManager.exe
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 42 — The WinRM protocol handler completed unloading.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM protocol handler completed unloading.

Event ID 43 — The WinRM protocol handler unloaded prematurely due to the following error.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM protocol handler unloaded prematurely due to the following error: %2.

Fields

Name	Description
`errorCode`	—
`errorMessage`	—

Event ID 44 — The WinRM protocol handler started to create a session at the following destination.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

The WinRM protocol handler started to create a session at the following destination: %1.

Fields

Name	Description
`destination`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 44
  version: 0
  level: 4
  task: 15
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:38:36.208888+00:00'
  event_record_id: 276
  correlation: {}
  execution:
    process_id: 4444
    thread_id: 2008
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  destination: <local>
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 45 — The WinRM protocol handler closed the session.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

The WinRM protocol handler closed the session.

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 45
  version: 0
  level: 4
  task: 15
  opcode: 2
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:38:36.283057+00:00'
  event_record_id: 283
  correlation: {}
  execution:
    process_id: 4444
    thread_id: 4432
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 46 — The WinRM protocol session closed prematurely due to the following error.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM protocol session closed prematurely due to the following error: %2.

Fields

Name	Description
`errorCode`	—
`errorMessage`	—

Event ID 47 — The WinRM protocol session began an operation of type %1 to the server.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

The WinRM protocol session began an operation of type %1 to the server. The operation accesses class %3 under the %2 namespace.

Fields

Name	Description
`operationType`	—
`namespaceName`	—
`className`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 47
  version: 0
  level: 4
  task: 16
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:38:36.268345+00:00'
  event_record_id: 278
  correlation:
    ActivityID: E0AAB88C-4A9F-0001-B210-ABE09F4AD801
  execution:
    process_id: 4444
    thread_id: 4432
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  operationType: GetClass
  namespaceName: root/microsoft/windows/smb
  className: MSFT_SmbServerConfiguration
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 48 — The WinRM protocol session successfully completed the operation.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

The WinRM protocol session successfully completed the operation.

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 48
  version: 0
  level: 4
  task: 16
  opcode: 2
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:38:36.278922+00:00'
  event_record_id: 281
  correlation:
    ActivityID: E0AAB88C-4A9F-0001-B210-ABE09F4AD801
  execution:
    process_id: 4444
    thread_id: 4432
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 49 — The WinRM protocol operation failed due to the following error.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM protocol operation failed due to the following error: %2.

Fields

Name	Description
`errorCode`	—
`errorMessage`	—

Event ID 64 — Auto-detecting proxy settings

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Auto-detecting proxy settings

Event ID 65 — Proxy AutoDetect done.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Proxy AutoDetect done.Proxy list: {proxyList} Bypass list: {bypassList}

Fields

Name	Description
`proxyList`	—
`bypassList`	—

Event ID 66 — Setting proxy info Proxy list: {proxyList} Bypass list: {bypassList}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Setting proxy info  Proxy list: {proxyList}  Bypass list: {bypassList}

Fields

Name	Description
`proxyList`	—
`bypassList`	—

Event ID 80 — Sending the request for operation {operationName} to destination machine and port {url}:{port}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Sending the request for operation {operationName} to destination machine and port {url}:{port}

Fields

Name	Description
`operationName`	—
`url`	—
`port`	—

Event ID 81 — Processing client request for operation {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Processing client request for operation {operationName}

Fields

Name	Description
`operationName`	—

Event ID 82 — Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>

Fields

Name	Description
`operation`	—
`resourceURI`	—

Event ID 83 — Leaving the plugin for operation {operation}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Leaving the plugin for operation {operation}

Fields

Name	Description
`operation`	—

Event ID 84 — The maximum number of users executing shell operations has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The maximum number of users (%1) executing shell operations has been exceeded.
Retry after sometime or raise the quota for concurrent shell users.

Fields

Name	Description
`users`	—

Event ID 85 — The %1 user is allowed a maximum number of %2 concurrent shells, which has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The %1 user is allowed a maximum number of %2 concurrent shells, which has been exceeded.
Close existing shells or raise the quota for this user.

Fields

Name	Description
`senderName`	—
`concurrentShells`	—

Event ID 86 — The WSMan service could not launch a host process to process the given request.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. Error code %1

Fields

Name	Description
`errorCode`	—

Event ID 87 — The WSMan host process was unexpectedly terminated.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 2
Samples: 1

Message

The WSMan host process was unexpectedly terminated. Error code %1

Fields

Name	Description
`errorCode`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 87
  version: 0
  level: 2
  task: 9
  opcode: 0
  keywords: 4611686018427387908
  time_created: '2022-04-07T08:14:06.985298+00:00'
  event_record_id: 62
  correlation:
    ActivityID: DD7B0B6A-4A9E-0000-F00E-7BDD9E4AD801
  execution:
    process_id: 2576
    thread_id: 4764
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  errorCode: 1726
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 90 — RunAs was disabled by Group Policy; WSMan service has erased all RunAs credentials.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

RunAs was disabled by Group Policy; WSMan service has erased all RunAs credentials.

Event ID 91 — Creating WSMan shell on server with ResourceUri.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Creating WSMan shell on server with ResourceUri: %1

Fields

Name	Description
`resourceUri`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 91
  version: 0
  level: 4
  task: 9
  opcode: 0
  keywords: 4611686018427387908
  time_created: '2022-04-07T17:21:30.499992+00:00'
  event_record_id: 108
  correlation:
    ActivityID: E0AAB88C-4A9F-0001-35B9-AAE09F4AD801
  execution:
    process_id: 4644
    thread_id: 4428
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  resourceUri: http://schemas.microsoft.com/powershell/Microsoft.Windows.ServerManagerWorkflows
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/winrm/events
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 129 — Received the response from Network layer; status: {status}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Received the response from Network layer; status: {status}

Fields

Name	Description
`status`	—

Event ID 130 — Received the response from Network layer; status: {status}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Received the response from Network layer; status: {status}

Fields

Name	Description
`status`	—

Event ID 131 — Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: %1

Fields

Name	Description
`location`	—

Event ID 132 — WSMan operation %1 completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

WSMan operation %1 completed successfully

Fields

Name	Description
`operationName`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 132
  version: 0
  level: 4
  task: 10
  opcode: 2
  keywords: 4611686018427387906
  time_created: '2022-04-07T17:38:36.279410+00:00'
  event_record_id: 282
  correlation: {}
  execution:
    process_id: 4444
    thread_id: 4908
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  operationName: Invoke
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 133 — Sending response error packet for ActionURI: {actionUri}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Sending response error packet for ActionURI: {actionUri}

Fields

Name	Description
`actionUri`	—

Event ID 134 — Sending response for operation {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Sending response for operation {operationName}

Fields

Name	Description
`operationName`	—

Event ID 135 — Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT, using next proxy

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT, using next proxy

Event ID 136 — Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED, using next proxy

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED, using next proxy

Event ID 137 — Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved. Aborting the operation

Event ID 138 — The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)

Event ID 139 — The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)

Event ID 140 — Sending HTTP error back to the client due to a transport failure.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Sending HTTP error back to the client due to a transport failure.The HTTP status code is {httpStatus}The error code is {errorCode}

Fields

Name	Description
`httpStatus`	—
`errorCode`	—

Event ID 141 — Sending timeout response for operation: {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Sending timeout response for operation: {operationName}

Fields

Name	Description
`operationName`	—

Event ID 142 — WSMan operation %1 failed, error code %2.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 2
Samples: 1

Message

WSMan operation %1 failed, error code %2

Fields

Name	Description
`operationName`	—
`errorCode`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 142
  version: 0
  level: 2
  task: 10
  opcode: 2
  keywords: 4611686018427387906
  time_created: '2023-11-06T00:47:48.782597+00:00'
  event_record_id: 84
  correlation:
    ActivityID: E4DB489E-1037-0000-9DAB-E4E43710DA01
  execution:
    process_id: 16164
    thread_id: 16312
  channel: Microsoft-Windows-WinRM/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  operationName: Enumeration
  errorCode: 2150858770
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 143 — Received the response from Network layer; status: 200 (HTTP_STATUS_OK)

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Received the response from Network layer; status: 200 (HTTP_STATUS_OK)

Event ID 145 — WSMan operation %1 started with resourceUri %2.

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

WSMan operation %1 started with resourceUri %2

Fields

Name	Description
`operationName`	—
`resourceUri`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 145
  version: 0
  level: 4
  task: 5
  opcode: 1
  keywords: 4611686018427387906
  time_created: '2023-11-06T00:47:39.837811+00:00'
  event_record_id: 81
  correlation:
    ActivityID: E4DB489E-1037-0000-9DAB-E4E43710DA01
  execution:
    process_id: 16164
    thread_id: 16220
  channel: Microsoft-Windows-WinRM/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  operationName: Enumeration
  resourceUri: http://schemas.microsoft.com/wbem/wsman/1/config/listener
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 160 — Authenticating the user using {authentication} mechanism.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Authenticating the user using {authentication} mechanism

Fields

Name	Description
`authentication`	—

Event ID 161 —

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 2
Samples: 1

Message

%1

Fields

Name	Description
`authFailureMessage`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 161
  version: 0
  level: 2
  task: 7
  opcode: 0
  keywords: 4611686018427387914
  time_created: '2023-11-06T00:47:48.782381+00:00'
  event_record_id: 83
  correlation:
    ActivityID: E4DB489E-1037-0002-A38B-E4E43710DA01
  execution:
    process_id: 16164
    thread_id: 16312
  channel: Microsoft-Windows-WinRM/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  authFailureMessage: 'The client cannot connect to the destination specified in the
    request. Verify that the service on the destination is running and is accepting
    requests. Consult the logs and documentation for the WS-Management service running
    on the destination, most commonly IIS or WinRM. If the destination is the WinRM
    service, run the following command on the destination to analyze and configure
    the WinRM service: "winrm quickconfig".'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 162 — Authenticating the user failed.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Authenticating the user failed. The credentials didn't work.

Event ID 163 — The authentication mechanism requested by the client is not supported by the server.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The authentication mechanism (%1) requested by the client is not supported by the server.
Possible authentication mechanisms reported by server: %2 %3 %4 %5 %6

Fields

Name	Description
`authClient`	—
`authServer1`	—
`authServer2`	—
`authServer3`	—
`authServer4`	—
`authServer5`	—

Event ID 164 — The destination computer returned an 'access denied' error.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The destination computer (%1) returned an 'access denied' error. Verify your credentials are correct.

Fields

Name	Description
`destinationMachine`	—

Event ID 165 — The authentication mechanism requested by the proxy is not supported by the client.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The authentication mechanism requested by the proxy is not supported by the client. The only proxy authentication mechanism supported are Negotiate, Basic or Digest. 
Possible authentication mechanisms reported by proxy: %1 %2 %3 %4 %5

Fields

Name	Description
`authProxy1`	—
`authProxy2`	—
`authProxy3`	—
`authProxy4`	—
`authProxy5`	—

Event ID 166 — The chosen authentication mechanism is {auth}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The chosen authentication mechanism is {auth}

Fields

Name	Description
`auth`	—

Event ID 168 — Sending HTTP 401 response to the client and disconnect the connection after sending the response

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Sending HTTP 401 response to the client and disconnect the connection after sending the response

Event ID 169 —

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Fields

Name	Description
`username`	—
`authenticationMechanism`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 169
  version: 0
  level: 4
  task: 7
  opcode: 0
  keywords: 4611686018427387916
  time_created: '2019-05-20T15:54:32.564901+00:00'
  event_record_id: 861
  correlation:
    ActivityID: 8534C364-2CC0-0001-C84D-A5F46C0FD501
  execution:
    process_id: 1204
    thread_id: 3068
  channel: Microsoft-Windows-WinRM/Operational
  computer: IEWIN7
  security:
    user_id: S-1-5-20
event_data:
  username: iewin7\ieuser
  authenticationMechanism: NTLM
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 170 — The authentication using client certificate with subject {subject} done successfully.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The authentication using client certificate with subject {subject} done successfully

Fields

Name	Description
`subject`	—

Event ID 171 — Authenticating the user with the proxy failed.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Authenticating the user with the proxy failed. The credentials didn't work.

Event ID 172 — The server certificate on the destination computer (%1:%2) has the following errors: %3 %4 %5 %6 %7 %8 %9 %10.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The server certificate on the destination computer (%1:%2) has the following errors: %3 %4 %5 %6 %7 %8 %9 %10. Fix the server certificate and try again.

Fields

Name	Description
`machineName`	—
`port`	—
`error1`	—
`error2`	—
`error3`	—
`error4`	—
`error5`	—
`error6`	—
`error7`	—
`error8`	—

Event ID 173 — The WinRM service has terminated %1 unauthenticated connections over the past %2 minutes to maintain healthy system state.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service has terminated %1 unauthenticated connections over the past %2 minutes to maintain healthy system state. This will likely happen if the service is overloaded or if the service is under an authentication based attack. 

 Action: 
Enable and observe Windows Remote Management Analytic log and look for warning events with Id 1843. These include additional information about the clients that got abruptly terminated.

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 192 — The authorization of the user failed with error %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The authorization of the user failed with error %1

Fields

Name	Description
`errorCode`	—

Event ID 193 — Request for user %1 (%2) will be executed using WinRM virtual account %3 (%4).

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Request for user %1 (%2) will be executed using WinRM virtual account %3 (%4)

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 193
  version: 0
  level: 4
  task: 8
  opcode: 0
  keywords: 4611686018427387916
  time_created: '2019-05-20T15:54:32.564901+00:00'
  event_record_id: 863
  correlation:
    ActivityID: 8534C364-2CC0-0001-C84D-A5F46C0FD501
  execution:
    process_id: 1204
    thread_id: 3068
  channel: Microsoft-Windows-WinRM/Operational
  computer: IEWIN7
  security:
    user_id: S-1-5-20
event_data: {}
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 194 — The authorization of the user failed with error {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The authorization of the user failed with error {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 208 — The Winrm service is starting

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

The Winrm service is starting

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 208
  version: 0
  level: 4
  task: 11
  opcode: 1
  keywords: 4611686018427387908
  time_created: '2022-04-07T16:53:23.340882+00:00'
  event_record_id: 82
  correlation: {}
  execution:
    process_id: 2416
    thread_id: 2528
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-20
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 209 — The Winrm service started successfully

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

The Winrm service started successfully

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 209
  version: 0
  level: 4
  task: 11
  opcode: 0
  keywords: 4611686018427387908
  time_created: '2022-04-07T16:53:23.453821+00:00'
  event_record_id: 83
  correlation:
    ActivityID: E0AAB88C-4A9F-0001-35B9-AAE09F4AD801
  execution:
    process_id: 2416
    thread_id: 2528
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-20
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 210 — The WinRM service is unable to start because of a failure during initialization.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is unable to start because of a failure during initialization. The error code is %1

Fields

Name	Description
`errorCode`	—

Event ID 211 — The Winrm service is stopping

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

The Winrm service is stopping

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 211
  version: 0
  level: 4
  task: 11
  opcode: 0
  keywords: 4611686018427387908
  time_created: '2022-04-07T16:45:07.009526+00:00'
  event_record_id: 3
  correlation:
    ActivityID: C1DC836A-4A9E-0001-8686-DCC19E4AD801
  execution:
    process_id: 2348
    thread_id: 2608
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-20
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 212 — The Winrm service was stopped successfully

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

The Winrm service was stopped successfully

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 212
  version: 0
  level: 4
  task: 11
  opcode: 2
  keywords: 4611686018427387908
  time_created: '2022-04-07T16:45:07.526668+00:00'
  event_record_id: 4
  correlation:
    ActivityID: C1DC836A-4A9E-0001-8686-DCC19E4AD801
  execution:
    process_id: 2348
    thread_id: 2608
  channel: Microsoft-Windows-WinRM/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-20
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 213 — The WSMan service could not load current configuration settings as the settings are corrupted.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan service could not load current configuration settings as the settings are corrupted. The service is started with default settings instead. 

 User Action 
 Use the following command to restore defaults: 

 winrm invoke Restore winrm/config @{}

Event ID 214 — The WSMan client could not load current configuration settings as the settings are corrupted.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan client could not load current configuration settings as the settings are corrupted. The client is operating with default settings instead. 

 User Action 
 Start the WinRM service and use the following command to restore defaults: 

 winrm invoke Restore winrm/config @{}

Event ID 215 — The WSMan service failed to read configuration of the following plugin.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan service failed to read configuration of the following plugin: 
 %1. 

The error received was %2: %%%2 
 %3.

 User Action 
 Make sure this plugin configuration is valid.

Fields

Name	Description
`pluginName`	—
`errorcode`	—
`errordetail`	—

Event ID 216 — The WSMan service failed to restart the plugins marked for AutoRestart.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan service failed to restart the plugins marked for AutoRestart. The error code received was %1.

Fields

Name	Description
`errorcode`	—

Event ID 217 — The WSMan service failed to restart the %1 plugin on service startup.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan service failed to restart the %1 plugin on service startup. The error code received was %2.

Fields

Name	Description
`pluginName`	—
`errorcode`	—

Event ID 218 — The WSMan service successfully restarted the following plugin on service startup.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan service successfully restarted the following plugin on service startup: %1.

Fields

Name	Description
`pluginName`	—

Event ID 219 — The WSMan shell instance %1 will no longer support disconnect reconnect functionality because a non-supported request was sent by the client.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan shell instance %1 will no longer support disconnect reconnect functionality because a non-supported request was sent by the client.

Fields

Name	Description
`param1`	—

Event ID 224 —

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

%1

Fields

Name	Description
`message`	—

Event ID 229 — The WinRM %1 failed to register for group policy change notifications.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM %1 failed to register for group policy change notifications. The error code is %2.

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 230 — Deletion of registry key %1 resulted in access denied.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Deletion of registry key %1 resulted in access denied. If this registry entry is not marked specifically as read only, this seems like a potential issue.

Fields

Name	Description
`param1`	—

Event ID 254 — Activity Transfer

Provider: Microsoft-Windows-WinRM
Channel: Operational
Level: 4
Samples: 1

Message

Activity Transfer

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: A7975C8F-AC13-49F1-87DA-5A984A4AB417
  event_source_name: ''
  event_id: 254
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387942
  time_created: '2023-11-06T00:47:48.782378+00:00'
  event_record_id: 82
  correlation:
    ActivityID: E4DB489E-1037-0002-A38B-E4E43710DA01
    RelatedActivityID: E4DB489E-1037-0000-9DAB-E4E43710DA01
  execution:
    process_id: 16164
    thread_id: 16312
  channel: Microsoft-Windows-WinRM/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 255 — Activity Transfer

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Activity Transfer

Event ID 257 — Initializing WSMan API

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Initializing WSMan API

Event ID 258 — Initialization of WSMan API failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Initialization of WSMan API failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 259 — Deinitializing WSMan API

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Deinitializing WSMan API

Event ID 260 — Deinitialization of WSMan API failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Deinitialization of WSMan API failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 261 — Creating WSMan Session.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Creating WSMan Session. The connection string is: {connection}

Fields

Name	Description
`connection`	—

Event ID 262 — WSMan Create Session operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan Create Session operation failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 263 — Closing WSMan Session

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan Session

Event ID 264 — Closing WSMan Session failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan Session failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 265 — Setting WSMan Session Option ({optionCode}) with value ({optionValue}) completed successfuly.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Setting WSMan Session Option ({optionCode}) with value ({optionValue}) completed successfuly

Fields

Name	Description
`optionCode`	—
`optionValue`	—

Event ID 266 — Creating WSMan shell with the ResourceUri: {resourceUri}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Creating WSMan shell with the ResourceUri: {resourceUri}

Fields

Name	Description
`resourceUri`	—

Event ID 267 — WSMan shell creation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan shell creation failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 268 — Running WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Running WSMan command

Event ID 269 — Running WSMan command failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Running WSMan command failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 270 — Closing WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan command

Event ID 271 — Closing WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan shell

Event ID 272 — Signaling WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Signaling WSMan shell

Event ID 273 — Signaling WSMan shell; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Signaling WSMan shell; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 274 — Closing WSMan operation

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan operation

Event ID 275 — Sending input to the shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending input to the shell

Event ID 276 — Sending input operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending input operation failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 277 — Calling into WSMan to receive output from the shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Calling into WSMan to receive output from the shell

Event ID 278 — WSMan receive operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan receive operation failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 279 — Calling into WSMan to receive output from the command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Calling into WSMan to receive output from the command

Event ID 280 — Getting message for error code {inputErrorCode} completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Getting message for error code {inputErrorCode} completed successfully. The languageCode parameter was: {languageCode}

Fields

Name	Description
`inputErrorCode`	—
`languageCode`	—

Event ID 281 — Getting WSMan Session Option ({optionCode}).

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Getting WSMan Session Option ({optionCode})

Fields

Name	Description
`optionCode`	—

Event ID 282 — Access Denied error: the {apiCall} API caller does not match the creator of the application object.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Access Denied error: the {apiCall} API caller does not match the creator of the application object

Fields

Name	Description
`apiCall`	—

Event ID 283 — Plug-in reporting context for operation %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Plug-in reporting context for operation %1

Fields

Name	Description
`operationName`	—

Event ID 284 — Plug-in reporting data object for operation %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Plug-in reporting data object for operation %1

Fields

Name	Description
`operationName`	—

Event ID 285 — Plug-in reporting data object and EPR for operation %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Plug-in reporting data object and EPR for operation %1

Fields

Name	Description
`operationName`	—

Event ID 286 — Plug-in reporting data object and bookmark for operation %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Plug-in reporting data object and bookmark for operation %1

Fields

Name	Description
`operationName`	—

Event ID 287 — Plug-in reporting data for operation Receive

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Plug-in reporting data for operation Receive

Event ID 288 — Plug-in reporting operation complete for %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Plug-in reporting operation complete for %1

Fields

Name	Description
`operationName`	—

Event ID 289 — Plug-in getting operational information for parameter %1 and operation %2.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Plug-in getting operational information for parameter %1 and operation %2

Fields

Name	Description
`parameters`	—
`operationName`	—

Event ID 290 — Plug-in reporting the authorization for user %1 completed with error code %2.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Plug-in reporting the authorization for user %1 completed with error code %2

Fields

Name	Description
`username`	—
`errorCode`	—

Event ID 291 — Plug-in reporting the authorization operation completed with error %1 for operation %2 and ResourceUri %3.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Plug-in reporting the authorization operation completed with error %1 for operation %2 and ResourceUri %3

Fields

Name	Description
`errorCode`	—
`operation`	—
`resourceUri`	—

Event ID 292 — Updating the quota for the user %1 with error code %2 maxAllowedConcurrentShells=%3 maxAllowedConcurrentOperations=%4 timeslotSize=%5 maxAllowedOpe...

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Updating the quota for the user %1 with error code %2
 maxAllowedConcurrentShells=%3
 maxAllowedConcurrentOperations=%4
 timeslotSize=%5
 maxAllowedOperationsPerTimeslot=%6

Fields

Name	Description
`username`	—
`errorCode`	—
`maxAllowedConcurrentShells`	—
`maxAllowedConcurrentOperations`	—
`timeslotSize`	—
`maxAllowedOperationsPerTimeslot`	—

Event ID 293 — Initialization of WSMan API completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Initialization of WSMan API completed successfuly

Event ID 294 — Deinitialization of WSMan API completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Deinitialization of WSMan API completed successfuly

Event ID 295 — WSMan Create Session operation completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan Create Session operation completed successfuly

Event ID 296 — Setting WSMan Session Option ({optionCode}) failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Setting WSMan Session Option ({optionCode}) failed; error code {errorCode}

Fields

Name	Description
`optionCode`	—
`errorCode`	—

Event ID 297 — Closing WSMan Session completed successfuly

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan Session completed successfuly

Event ID 298 — Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}

Fields

Name	Description
`inputErrorCode`	—
`errorCode`	—

Event ID 299 — Signaling WSMan command failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Signaling WSMan command failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 300 — Signaling WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Signaling WSMan command

Event ID 301 — Closing WSMan shell failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan shell failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 302 — Closing WSMan command failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan command failed; error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 303 — Closing WSMan {operationName} operation completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan {operationName} operation completed successfully

Fields

Name	Description
`operationName`	—

Event ID 304 — Closing WSMan {operationName} operation failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan {operationName} operation failed; error code {errorCode}

Fields

Name	Description
`operationName`	—
`errorCode`	—

Event ID 305 — Sending input to the command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending input to the command

Event ID 306 — The WinRM service loaded the following plugin: %1 (%2).

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WinRM service loaded the following plugin: %1 (%2)

Fields

Name	Description
`provider`	—
`path`	—

Event ID 307 — The WinRM service unloaded the following plugin: %1 (%2).

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WinRM service unloaded the following plugin: %1 (%2)

Fields

Name	Description
`provider`	—
`path`	—

Event ID 308 — The plugin called WSManPluginGetConfiguration with the parameter %1 and obtained a return value of %2.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The plugin called WSManPluginGetConfiguration with the parameter %1 and obtained a return value of %2.

Fields

Name	Description
`Flags`	—
`Result`	—

Event ID 309 — The plugin called WSManPluginReportCompletion with the parameter %1 and obtained a return value of %2.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The plugin called WSManPluginReportCompletion with the parameter %1 and obtained a return value of %2.

Fields

Name	Description
`Flags`	—
`Result`	—

Event ID 310 — The plugin %1 is being shut down because it was idle for longer than the configured HostIdleTimeoutSecs quota.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The plugin %1 is being shut down because it was idle for longer than the configured HostIdleTimeoutSecs quota.

Fields

Name	Description
`Plugin`	—

Event ID 311 — Signaling WSMan command failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Signaling WSMan command failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 312 — Signaling WSMan command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Signaling WSMan command

Event ID 313 — Sending input to the command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending input to the command

Event ID 314 — Sending input to the shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending input to the shell

Event ID 315 — Sending input operation failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending input operation failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 316 — Calling into WSMan to receive output from the shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Calling into WSMan to receive output from the shell

Event ID 317 — WSMan receive operation failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan receive operation failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 318 — Calling into WSMan to receive output from the command

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Calling into WSMan to receive output from the command

Event ID 319 — Getting message for error code %1 completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Getting message for error code %1 completed successfully. The languageCode parameter was: %2

Fields

Name	Description
`inputErrorCode`	—
`languageCode`	—

Event ID 320 — Getting WSMan Session Option (%1) - %2.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Getting WSMan Session Option (%1) - %2.

Fields

Name	Description
`optionCode`	—
`optionName`	—

Event ID 321 — Signaling WSMan shell

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Signaling WSMan shell

Event ID 322 — Signaling WSMan shell, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Signaling WSMan shell, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 323 — Closing WSMan operation

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan operation

Event ID 324 — Closing WSMan %1 operation completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Closing WSMan %1 operation completed successfully

Fields

Name	Description
`operationName`	—

Event ID 325 — Disconnecting shell with Id.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Disconnecting shell with Id : %1

Fields

Name	Description
`argument`	—

Event ID 326 — Disconnecting shell failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Disconnecting shell failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 327 — Reconnecting shell with Id.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Reconnecting shell  with Id : %1

Fields

Name	Description
`argument`	—

Event ID 328 — Reconnecting shell failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Reconnecting shell failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 329 — Connecting shell with Id.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Connecting shell  with Id : %1

Fields

Name	Description
`argument`	—

Event ID 330 — Connecting shell failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Connecting shell failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 331 — Reconnecting shell command with Id.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Reconnecting shell command  with Id : %1

Fields

Name	Description
`argument`	—

Event ID 332 — Reconnecting shell command failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Reconnecting shell command failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 333 — Connecting shell command with Id.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Connecting shell command  with Id : %1

Fields

Name	Description
`argument`	—

Event ID 334 — Connecting shell command failed, error code %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Connecting shell command failed, error code %1

Fields

Name	Description
`errorCode`	—

Event ID 512 — Auto-detecting proxy settings

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Auto-detecting proxy settings

Event ID 513 — Proxy AutoDetect done.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Proxy AutoDetect done.
Proxy list: %1 
Bypass list: %2

Fields

Name	Description
`proxyList`	—
`bypassList`	—

Event ID 514 — Setting proxy info Proxy list: %1 Bypass list: %2.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Setting proxy info 
 Proxy list: %1 
 Bypass list: %2

Fields

Name	Description
`proxyList`	—
`bypassList`	—

Event ID 768 — Processing client request for operation {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Processing client request for operation {operationName}

Fields

Name	Description
`operationName`	—

Event ID 769 — Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>

Fields

Name	Description
`operation`	—
`resourceURI`	—

Event ID 770 — Leaving the plugin for operation {operation}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Leaving the plugin for operation {operation}

Fields

Name	Description
`operation`	—

Event ID 771 — SOAP [client sending index %1 of %2 total chunks (%3 bytes)] %4.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

SOAP [client sending index %1 of %2 total chunks (%3 bytes)] %4

Fields

Name	Description
`index`	—
`totalChunks`	—
`bytes`	—
`SoapDocument`	—

Event ID 772 — SOAP [listener receiving index %1 of %2 total chunks (%3 bytes)] %4.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

SOAP [listener receiving index %1 of %2 total chunks (%3 bytes)] %4

Fields

Name	Description
`index`	—
`totalChunks`	—
`bytes`	—
`SoapDocument`	—

Event ID 773 — The {senderName} user is allowed a maximum number of {concurrentShells} concurrent shells; which has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The {senderName} user is allowed a maximum number of {concurrentShells} concurrent shells; which has been exceeded.Close existing shells or raise the quota for this user.

Fields

Name	Description
`senderName`	—
`concurrentShells`	—

Event ID 774 — The %1 user is allowed a maximum number of %2 concurrent operations, which has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The %1 user is allowed a maximum number of %2 concurrent operations, which has been exceeded.
Close existing operations for this user, or raise the quota for this user.

Fields

Name	Description
`senderName`	—
`concurrentOperations`	—

Event ID 775 — The user load quota of %1 requests per %2 seconds has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The user load quota of %1 requests per %2 seconds has been exceeded.
Send future requests at a slower rate or raise the quota for the %3 user.
The next request from this user will not be approved for at least %4 milliseconds.

Fields

Name	Description
`requests`	—
`windowTime`	—
`senderName`	—
`delayHint`	—

Event ID 776 — The system load quota of %1 requests per %2 seconds has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The system load quota of %1 requests per %2 seconds has been exceeded.
Send future requests at a slower rate or raise the system quota.
The next request from the user %3 will not be approved for at least %4 milliseconds.

Fields

Name	Description
`requests`	—
`windowTime`	—
`senderName`	—
`delayHint`	—

Event ID 777 — The maximum number of users ({users}) executing shell operations has been exceeded.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The maximum number of users ({users}) executing shell operations has been exceeded.Retry after sometime or raise the quota for concurrent shell users.

Fields

Name	Description
`users`	—

Event ID 778 — Sending the request for operation {operationName} to destination machine and port {url}:{port}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending the request for operation {operationName} to destination machine and port {url}:{port}

Fields

Name	Description
`operationName`	—
`url`	—
`port`	—

Event ID 779 — SOAP [client sending index %1 of %2 total chunks (%3 bytes)] %4.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

SOAP [client sending index %1 of %2 total chunks (%3 bytes)] %4

Fields

Name	Description
`index`	—
`totalChunks`	—
`bytes`	—
`SoapDocument`	—

Event ID 780 — The WinRM %1 has encountered network connectivity issues.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WinRM %1 has encountered network connectivity issues.

Fields

Name	Description
`param1`	—

Event ID 781 — The WinRM Client is attempting to re-establish a network connection.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WinRM Client is attempting to re-establish a network connection.

Event ID 782 — The WinRM Service has detected a new network connection from the client.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WinRM Service has detected a new network connection from the client.

Event ID 783 — The WinRM %1 has successfully re-established a network connection.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WinRM %1 has successfully re-established a network connection.

Fields

Name	Description
`param1`	—

Event ID 784 — The WinRM %1 failed to re-establish a network connection and is reporting a failure.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WinRM %1 failed to re-establish a network connection and is reporting a failure.

Fields

Name	Description
`param1`	—

Event ID 785 — The WSMan host process was started for user %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WSMan host process was started for user %1.

Fields

Name	Description
`userName`	—

Event ID 786 — The WSMan host process was terminated for user %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WSMan host process was terminated for user %1.

Fields

Name	Description
`userName`	—

Event ID 787 — Sending the request for operation %1 to destination machine and port %2:%3.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending the request for operation %1 to destination machine and port %2:%3

Fields

Name	Description
`operationName`	—
`url`	—
`port`	—

Event ID 788 — Processing client request for operation %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Processing client request for operation %1

Fields

Name	Description
`operationName`	—

Event ID 789 — Entering the plugin for operation %1 with a ResourceURI of <%2>.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Entering the plugin for operation %1 with a ResourceURI of <%2>

Fields

Name	Description
`operation`	—
`resourceURI`	—

Event ID 790 — Leaving the plugin for operation %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Leaving the plugin for operation %1

Fields

Name	Description
`operation`	—

Event ID 791 — The WinRM service failed to enumerate DASH/SMASH specifications with MI error.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WinRM service failed to enumerate DASH/SMASH specifications with MI error: %1.

Fields

Name	Description
`errorCode`	—

Event ID 1024 — Sending response for operation {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending response for operation {operationName}

Fields

Name	Description
`operationName`	—

Event ID 1025 — Sending response error packet for ActionURI.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending response error packet for ActionURI: %1

Fields

Name	Description
`actionUri`	—

Event ID 1026 — SOAP [client receiving index %1 of %2 total chunks (%3 bytes)] %4.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

SOAP [client receiving index %1 of %2 total chunks (%3 bytes)] %4

Fields

Name	Description
`index`	—
`totalChunks`	—
`bytes`	—
`SoapDocument`	—

Event ID 1027 — SOAP [listener sending index %1 of %2 total chunks (%3 bytes)] %4.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

SOAP [listener sending index %1 of %2 total chunks (%3 bytes)] %4

Fields

Name	Description
`index`	—
`totalChunks`	—
`bytes`	—
`SoapDocument`	—

Event ID 1028 — Received the response from Network layer; status: {status}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Received the response from Network layer; status: {status}

Fields

Name	Description
`status`	—

Event ID 1029 — Received the response from Network layer; status: {status}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Received the response from Network layer; status: {status}

Fields

Name	Description
`status`	—

Event ID 1030 — Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: {location}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: {location}

Fields

Name	Description
`location`	—

Event ID 1031 — WSMan operation {operationName} completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan operation {operationName} completed successfully

Fields

Name	Description
`operationName`	—

Event ID 1032 — Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT; using next proxy

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT; using next proxy

Event ID 1033 — Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED; using next proxy

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED; using next proxy

Event ID 1034 — Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved. Aborting the operation

Event ID 1035 — The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)

Event ID 1036 — The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)

Event ID 1037 — The WSMan service could not launch a host process to process the given request.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. Error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 1038 — The WSMan host process was unexpectedly terminated.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WSMan host process was unexpectedly terminated. Error code {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 1039 — Sending HTTP error back to the client due to a transport failure.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending HTTP error back to the client due to a transport failure.The HTTP status code is {httpStatus}The error code is {errorCode}

Fields

Name	Description
`httpStatus`	—
`errorCode`	—

Event ID 1040 — Sending timeout response for operation: {operationName}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending timeout response for operation: {operationName}

Fields

Name	Description
`operationName`	—

Event ID 1041 — Enumeration is shutting down

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Enumeration is shutting down

Event ID 1042 — WSMan operation {operationName} failed; error code {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan operation {operationName} failed; error code {errorCode}

Fields

Name	Description
`operationName`	—
`errorCode`	—

Event ID 1043 — Subscription is shutting down

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Subscription is shutting down

Event ID 1044 — SOAP [listener sending index %1 of %2 total chunks (%3 bytes)] %4.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

SOAP [listener sending index %1 of %2 total chunks (%3 bytes)] %4

Fields

Name	Description
`index`	—
`totalChunks`	—
`bytes`	—
`SoapDocument`	—

Event ID 1045 — Received the response from Network layer; status: 200 (HTTP_STATUS_OK)

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Received the response from Network layer; status: 200 (HTTP_STATUS_OK)

Event ID 1046 — An extended semantics callback timed out for the %1 operation.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

An extended semantics callback timed out for the %1 operation.

Fields

Name	Description
`operationName`	—

Event ID 1047 — Received the response from Network layer; status.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Received the response from Network layer; status: %1

Fields

Name	Description
`status`	—

Event ID 1048 — Sending HTTP error back to the client due to a transport failure.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending HTTP error back to the client due to a transport failure.
The HTTP status code is %1
The error code is %2

Fields

Name	Description
`httpStatus`	—
`errorCode`	—
`extraErrorInfo1`	—
`extraErrorInfo2`	—

Event ID 1049 — Sending timeout response for operation.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending timeout response for operation: %1

Fields

Name	Description
`operationName`	—

Event ID 1050 — Sending response for operation %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending response for operation %1

Fields

Name	Description
`operationName`	—

Event ID 1051 — Received the response from Network layer; status.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Received the response from Network layer; status: %1

Fields

Name	Description
`status`	—

Event ID 1052 — WSMan operation %1 completed successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan operation %1 completed successfully

Fields

Name	Description
`operationName`	—

Event ID 1053 — WSMan operation %1 got suspended because of WSMan Shell disconnection.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan operation %1 got suspended because of WSMan Shell disconnection.

Fields

Name	Description
`operationName`	—

Event ID 1054 — WSMan operation %1 resuming because of WSMan Shell reconnection.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

WSMan operation %1 resuming because of WSMan Shell reconnection.

Fields

Name	Description
`operationName`	—

Event ID 1280 — Sending HTTP 401 response to the client and disconnect the connection after sending the response

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending HTTP 401 response to the client and disconnect the connection after sending the response

Event ID 1281 — User {username} authenticated successfully using {authenticationMechanism} authentication.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

User {username} authenticated successfully using {authenticationMechanism} authentication

Fields

Name	Description
`username`	—
`authenticationMechanism`	—

Event ID 1282 — The authentication using client certificate with subject {subject} done successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The authentication using client certificate with subject {subject} done successfully

Fields

Name	Description
`subject`	—

Event ID 1283 — Authenticating the user using {authentication} mechanism.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Authenticating the user using {authentication} mechanism

Fields

Name	Description
`authentication`	—

Event ID 1285 — Authenticating the user failed.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Authenticating the user failed. The credentials didn't work.

Event ID 1286 — The authentication mechanism ({authClient}) requested by the client is not supported by the server.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The authentication mechanism ({authClient}) requested by the client is not supported by the server.Possible authentication mechanisms reported by server: {authServer1} {authServer2} {authServer3} {authServer4} {authServer5}

Fields

Name	Description
`authClient`	—
`authServer1`	—
`authServer2`	—
`authServer3`	—
`authServer4`	—
`authServer5`	—

Event ID 1287 — The destination computer ({destinationMachine}) returned an 'access denied' error.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The destination computer ({destinationMachine}) returned an 'access denied' error.Possible authentication mechanisms reported by server: {authServer1} {authServer2} {authServer3} {authServer4} {authServer5}.Verify your credentials are correct.

Fields

Name	Description
`destinationMachine`	—
`authServer1`	—
`authServer2`	—
`authServer3`	—
`authServer4`	—
`authServer5`	—

Event ID 1288 — The authentication mechanism requested by the proxy is not supported by the client.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The authentication mechanism requested by the proxy is not supported by the client. The only proxy authentication mechanism supported are Negotiate; Basic or Digest. Possible authentication mechanisms reported by proxy: {authProxy1} {authProxy2} {authProxy3} {authProxy4} {authProxy5}

Fields

Name	Description
`authProxy1`	—
`authProxy2`	—
`authProxy3`	—
`authProxy4`	—
`authProxy5`	—

Event ID 1289 — The chosen authentication mechanism is {auth}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The chosen authentication mechanism is {auth}

Fields

Name	Description
`auth`	—

Event ID 1291 — Network layer AutoLogon policy was set to Low as a result of a HTTP 401 response from Network layer

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Network layer AutoLogon policy was set to Low as a result of a HTTP 401 response from Network layer

Event ID 1292 — Network layer AutoLogon policy was set to High

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Network layer AutoLogon policy was set to High

Event ID 1293 — The chosen authentication mechanism is %1.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The chosen authentication mechanism is %1

Fields

Name	Description
`auth`	—

Event ID 1294 — Sending HTTP 401 response to the client and disconnect the connection after sending the response

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Sending HTTP 401 response to the client and disconnect the connection after sending the response

Event ID 1295 — User %1 authenticated successfully using %2 authentication.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

User %1 authenticated successfully using %2 authentication

Fields

Name	Description
`username`	—
`authenticationMechanism`	—

Event ID 1296 — The authentication using client certificate with subject %1 done successfully.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The authentication using client certificate with subject %1 done successfully

Fields

Name	Description
`subject`	—

Event ID 1297 — Authenticating the user using %1 mechanism.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Authenticating the user using %1 mechanism

Fields

Name	Description
`authentication`	—

Event ID 1536 — Authorizing the user

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Authorizing the user

Event ID 1537 — The authorization of the user was done successfully

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The authorization of the user was done successfully

Event ID 1538 — The authorization of the user failed with error {errorCode}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The authorization of the user failed with error {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 1792 — The Winrm service is starting

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The Winrm service is starting

Event ID 1793 — The Winrm service started successfully

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The Winrm service started successfully

Event ID 1794 — The WinRM service is unable to start because of a failure during initialization.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WinRM service is unable to start because of a failure during initialization. The error code is {errorCode}

Fields

Name	Description
`errorCode`	—

Event ID 1795 — The Winrm service is stopping

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The Winrm service is stopping

Event ID 1796 — The Winrm service was stopped successfully

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The Winrm service was stopped successfully

Event ID 1797 — The WSMan service could not load current configuration settings as the settings are corrupted.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WSMan service could not load current configuration settings as the settings are corrupted. The service is started with default settings instead.  User Action  Use the following command to restore defaults:  winrm invoke Restore winrm/config @{}

Event ID 1798 — The WSMan client could not load current configuration settings as the settings are corrupted.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WSMan client could not load current configuration settings as the settings are corrupted. The client is operating with default settings instead.  User Action  Start the WinRM service and use the following command to restore defaults:  winrm invoke Restore winrm/config @{}

Event ID 1799 — The WSMan service failed to read configuration of the following plugin: {pluginName}.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

The WSMan service failed to read configuration of the following plugin:  {pluginName}. The error received was {errorcode}: %%{errorcode}  {errordetail}. User Action  Make sure this plugin configuration is valid.

Fields

Name	Description
`pluginName`	—
`errorcode`	—
`errordetail`	—

Event ID 1808 —

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

{message}

Fields

Name	Description
`message`	—

Event ID 1840 — An error was encountered while processing an operation.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

An error was encountered while processing an operation.
Error Code: %1
Error String:%2

Fields

Name	Description
`errorCode`	—
`errorString`	—
`extraInformation1`	—
`extraInformation2`	—
`extraInformation3`	—
`extraInformation4`	—

Event ID 1841 — An error was encountered while processing an operation.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

An error was encountered while processing an operation.
Error Code: %1

Fields

Name	Description
`errorCode`	—
`extraInformation1`	—
`extraInformation2`	—
`extraInformation3`	—
`extraInformation4`	—

Event ID 1842 — Extra information.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

Extra information.  Refer to the XML parameters for more details.

Fields

Name	Description
`level`	—
`extraInformation1`	—
`extraInformation2`	—
`extraInformation3`	—
`extraInformation4`	—

Event ID 1843 — An unauthenticated connection from client %1 is terminated.

Provider: Microsoft-Windows-WinRM
Channel: Analytic

Message

An unauthenticated connection from client %1 is terminated.

Fields

Name	Description
`clientIP`	—

Event ID 2048 — [Filename:- %1; Line:- %2; Function:- %3;] %4.

Provider: Microsoft-Windows-WinRM
Channel: Debug

Message

[Filename:- %1; Line:- %2; Function:- %3;] %4

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 2049 — [Filename:- %1; Line:- %2; Function:- %3; ErrorCode:- %4] %5.

Provider: Microsoft-Windows-WinRM
Channel: Debug

Message

[Filename:- %1; Line:- %2; Function:- %3; ErrorCode:- %4] %5

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 10148 —

Provider: Microsoft-Windows-WinRM
Channel: System
Level: 4
Samples: 1

Fields

Name	Description
`Name`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: '{A7975C8F-AC13-49F1-87DA-5A984A4AB417}'
  event_source_name: WinRM
  event_id: 10148
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T16:53:23.372389+00:00'
  event_record_id: 1223
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Name: Started Listening
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10149 —

Provider: Microsoft-Windows-WinRM
Channel: System
Level: 3
Samples: 1

Fields

Name	Description
`Name`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: '{A7975C8F-AC13-49F1-87DA-5A984A4AB417}'
  event_source_name: WinRM
  event_id: 10149
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T16:45:07.008717+00:00'
  event_record_id: 157
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: System
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: ''
event_data:
  Name: Stopped Listening
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10154 —

Provider: Microsoft-Windows-WinRM
Channel: System
Level: 3
Samples: 1

Fields

Name	Description
`spn1`	—
`spn2`	—
`error`	—

Example Event

system:
  provider: Microsoft-Windows-WinRM
  guid: '{A7975C8F-AC13-49F1-87DA-5A984A4AB417}'
  event_source_name: WinRM
  event_id: 10154
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T16:53:23.388188+00:00'
  event_record_id: 1224
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  spn1: WSMAN/WIN-FPV0DSIC9O6.sigma.fr
  spn2: WSMAN/WIN-FPV0DSIC9O6
  error: '1355'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 468853 — The WinRM service is not listening for requests since it failed to listen on at least one address and port.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is not listening for requests since it failed to listen on at least one address and port. 

 Remote management using WinRM will fail. 

 User Action 
 Configure listeners by enabling GPO policy for Auto Configuration of listeners or manually create a listener using WinRM command line tool.

Event ID 468854 — The WinRM service is not listening for %1 requests because there was a failure binding to the URL (%2) in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is not listening for %1 requests because there was a failure binding to the URL (%2) in HTTP.SYS. 

 Another process is registered to listen on the WinRM service URL prefix. 

 User Action 
 Correct this problem by stopping the other process, changing its URL prefix, or by changing the configuration for the WS-Management listening address.

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468855 — The WS-Management client is not listening for pushed events because there was a failure binding to the URL in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WS-Management client is not listening for pushed events because there was a failure binding to the URL (%1) in HTTP.SYS. 

 Another process is registered to listen on the WinRM client URL prefix. 

 User Action 
 Correct this problem by stopping the other process, changing its URL prefix, or by changing the configuration for the WS-Management listening address.

Fields

Name	Description
`param1`	—

Event ID 468856 — The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL (%1) in HTTP.SYS.  

 No remote requests will be serviced on that URL. 

 User Action 
 Please use "netsh http" to check if ACL for URL (%1) is set to Network Service. 

 Additional Data 
 The error code received from HTTP.sys is %2: %%%2

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468857 — The WS-Management client is not listening for pushed events because there was a failure binding to the URL in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WS-Management client is not listening for pushed events because there was a failure binding to the URL (%1) in HTTP.SYS. 

 User Action 
 Please use "netsh http" to check if ACL for URL (%1) is set to Network Service. 

 Additional Data 
 The error code received from HTTP.sys was %2: %%%2

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468862 — The WinRM service cannot validate the client certificate because the revocation status of the certificate or one of the certificates in the certifi...

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service cannot validate the client certificate because the revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale. 

 User Action 
 Please ensure that the Certificate Revocation List is accessible and up-to-date.

Event ID 468863 — User authentication using Basic authentication scheme failed.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

User authentication using Basic authentication scheme failed. 

 Additional Data 
 Unexpected error received from LogonUser %1: %%%1.

Fields

Name	Description
`param1`	—

Event ID 468864 — The client certificate exceeded the maximum size allowed by the WinRM service.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The client certificate exceeded the maximum size allowed by the WinRM service.

 User Action 
 Please use a different client certificate or a different authentication mechanism.

Event ID 468865 — Request processing failed because the WinRM service cannot load data or event source: DLL=".

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

Request processing failed because the WinRM service cannot load data or event source: DLL="%1" 

 User Action 
 Please check if "%1" exists. 

 Additional Data 
 Loading %1 failed with error="%2" (%%%2).

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468866 — The SSL configuration for IP %1 and port %2 is shared with another service, such as Internet Information Services (IIS).

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The SSL configuration for IP %1 and port %2 is shared with another service, such as Internet Information Services (IIS).

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468871 — The WinRM service is unable to start because of a failure during initialization.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is unable to start because of a failure during initialization. 

 Additional Data 
 The error code is %1.

Fields

Name	Description
`param1`	—

Event ID 468872 — The WinRM service has received an unsecure HTTP connection from %1.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service has received an unsecure HTTP connection from %1. 

 This is not a secure configuration. 

 User Action 
 Set AllowUnencrypted to False in WinRM configuration to ensure packets are encrypted on the wire.

Fields

Name	Description
`param1`	—

Event ID 468873 — The WinRM service has been configured to accept basic authentication for unsecure HTTP connections.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service has been configured to accept basic authentication for unsecure HTTP connections. 

 This is not a secure configuration. 

 User Action 
 Set AllowUnencrypted to False in WinRM configuration to ensure packets are encrypted on the wire.

Event ID 468880 — The WinRM service is not listening for HTTP requests because there was a failure binding to the URL in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (%1) in HTTP.SYS. 

 No remote requests will be serviced on that URL. 

 User Action 
 Please use "netsh http" to check if ACL for URL (%1) is set to Network Service. 

 Additional Data 
 The error code received from HTTP.sys is %2: %%%2

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468881 — The WS-Management client is not listening for pushed events because there was a failure binding to the URL in HTTP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WS-Management client is not listening for pushed events because there was a failure binding to the URL (%1) in HTTP.SYS. 

 User Action 
 Please use "netsh http" to check if ACL for URL (%1) is set to Network Service. 

 Additional Data 
 The error code received from HTTP.sys was %2: %%%2

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468882 — IP Filter %1 specified in the GPO policy for Auto Configuration of listeners is invalid and it will be ignored.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

IP Filter %1 specified in the GPO policy for Auto Configuration of listeners is invalid and it will be ignored. Due to this issue, the WinRM service cannot use the autoconfigured listener. 

 "*" is used to indicate that the service should listen on all available IPs on the machine. When "*" is used, other ranges cannot be specified in the filter. 

 User Action 
 Remove other IP ranges if "*" needs to be included in the IP Filter.

Fields

Name	Description
`param1`	—

Event ID 468883 — The IP Range %1 is invalid and it will be ignored.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The IP Range %1 is invalid and it will be ignored.  

 Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," as delimiter. 
 Example IPv4 ranges:  2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 
Example IPv6 ranges:  3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 

 User Action 
 Correct the IP filter %1 using the syntax described above.

Fields

Name	Description
`param1`	—

Event ID 468884 — The WinRM service is not listening for policy changes because there was a failure registering for changes to the contents of the WS-Management poli...

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is not listening for policy changes because there was a failure registering for changes to the contents of the WS-Management policy key. 

 No group policy change will be serviced. 

 User Action 
 Stop and restart the WinRM service. 

 Additional Data 
 The error code was %1.

Fields

Name	Description
`param1`	—

Event ID 468888 — The WinRM service encountered a catastrophic security failure.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service encountered a catastrophic security failure. The service can no longer run under its security context. 

 User Action 
 Stop and restart the WinRM service. 

 Additional Data 
 The error code is %1.

Fields

Name	Description
`param1`	—

Event ID 468889 — The WinRM service cannot migrate the listener with IP address %1 and Port %2 because the IP address does not exist on the destination computer.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service cannot migrate the listener with IP address %1 and Port %2 because the IP address does not exist on the destination computer. This listener was ignored during migration. 

 User Action 
 Create the listener again with the correct IP address.

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468890 — The WinRM service cannot migrate the listener with Address %1 and Transport %2 because the IP address %3 does not exist on the destination computer.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service cannot migrate the listener with Address %1 and Transport %2 because the IP address %3 does not exist on the destination computer. This listener was ignored during migration. 

 User Action 
 Create the listener again with the correct IP address.

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 468891 — The WinRM service cannot migrate the listener with IP address %1 and Port %2 because the MAC address %3 does not exist on the destination computer.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service cannot migrate the listener with IP address %1 and Port %2 because the MAC address %3 does not exist on the destination computer. This listener was ignored during migration. 

 User Action 
 Create the listener again with the correct MAC address.

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 468892 — The WinRM service cannot migrate the listener with Address %1 and Transport %2 because the MAC address %3 does not exist on the destination machine.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service cannot migrate the listener with Address %1 and Transport %2 because the MAC address %3 does not exist on the destination machine. This listener was ignored during migration. 

 User Action 
 Create the listener again with the correct MAC address.

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 468893 — The WinRM service cannot migrate the listener with IP address %1, Port %2 and Transport %3.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service cannot migrate the listener with IP address %1, Port %2 and Transport %3. A listener that has Address=%4 and Transport=%5 configuration already exists.

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 468894 — The WinRM service cannot migrate the listener with Address %1 and Transport %2.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service cannot migrate the listener with Address %1 and Transport %2. A listener that has the same Address and Transport configuration already exists.

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468895 — The WinRM service had a failure during migration.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service had a failure during migration. 

 User Action 
 Create the configuration again using the WinRM command line tool. 

 Additional Data 
 The error code is: %1 %%%1

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468896 — The WinRM service had a failure reading the current configuration and is stopping.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service had a failure reading the current configuration and is stopping. 

 User Action 
 Use the following command to restore defaults: 

 winrm invoke Restore winrm/config @{} 

 Then add any custom configuration settings and restart the service. 

 Additional Data 
 The error code is: %1 %%%1

Fields

Name	Description
`param1`	—

Event ID 468897 — The WinRM service had a failure applying the current configuration and is stopping.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service had a failure applying the current configuration and is stopping. 

 User Action 
 Check for previous event log messages and restart the service.

Fields

Name	Description
`param1`	—

Event ID 468898 — The WinRM service had a failure reading the current configuration and is stopping.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service had a failure reading the current configuration and is stopping. 

 User Action 
 Use the following command to restore defaults: 

 winrm invoke Restore winrm/config @{} 

 Then add any custom configuration settings and restart the service. 

 Additional Data 
 The error code is: %1 %%%1

Event ID 468899 — The host name pattern ".

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The host name pattern "%1" is invalid and it will be ignored. Host name patterns must not be empty and they can contain at most one wildcard ("*"). "*" pattern can be used to indicate all hosts; if this pattern is used, no other pattern can show up in the list. Special string "<local>" can be used to indicate all host names that do not have a '.'

 User Action 
 Correct the host name pattern using the syntax described above.

Fields

Name	Description
`param1`	—

Event ID 468900 — The WinRM service is listening for WS-Management requests.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is listening for WS-Management requests. 

 User Action 
 Use the following command to see the specific IPs on which WinRM is listening: 

 winrm enumerate winrm/config/listener

Event ID 468901 — The WinRM service is not listening for WS-Management requests.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is not listening for WS-Management requests. 

 User Action 
 If you did not intentionally stop the service, use the following command to see the WinRM configuration: 

 winrm enumerate winrm/config/listener

Event ID 468902 — The WinRM service could not use the following listener to receive WS-Management requests.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service could not use the following listener to receive WS-Management requests.  The listener is enabled but the listener does not have an IP address configured. 

 User Action 
 Check the underlying network configuration to determine if this listener has at least one valid IP. If the IP is valid, ensure that WinRM configuration does not exclude that IP address by using the following command: 

 winrm get winrm/config/service 

 Additional Data 
 Listener transport: %1 
 Listener address: %2

Fields

Name	Description
`transport`	—
`address`	—

Event ID 468903 — The WinRM service had a failure reading configuration during ip address change notification.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service had a failure (%1) reading configuration during ip address change notification. 

 Service will continue running with old configuration.

 User Action 
 If immediae changes are required manually restart the service

Fields

Name	Description
`param1`	—

Event ID 468904 — The WinRM service successfully processed an address change notification.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service successfully processed an address change notification.

Event ID 468905 — The WSMan IIS module failed to read configuration.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan IIS module failed to read configuration. The error received was %1: %%%1 
 %2.

 User Action 
 Make sure both the schema and validation files are present and valid.

Fields

Name	Description
`errorcode`	—
`errordetail`	—

Event ID 468906 — The WinRM service failed to create the following SPNs: %1; %2.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service failed to create the following SPNs: %1; %2. 

 Additional Data 
 The error received was %3: %%%3.

 User Action 
 The SPNs can be created by an administrator using setspn.exe utility.

Fields

Name	Description
`spn1`	—
`spn2`	—
`error`	—

Event ID 468907 — The WSMan service failed to read configuration of the following plugin.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WSMan service failed to read configuration of the following plugin: 
 %1. 

The error received was %2: %%%2 
 %3.

 User Action 
 Make sure this plugin configuration is valid.

Fields

Name	Description
`pluginName`	—
`errorcode`	—
`errordetail`	—

Event ID 468908 — The WinRM service failed to initialize CredSSP.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service failed to initialize CredSSP. 

 Additional Data 
 The error received was %1.

 User Action 
 Configure CertificateThumbprint setting under the WinRM configuration for the service. Use the thumbprint of a valid certificate and make sure that Network Service has access to the private key of the certificate.

Fields

Name	Description
`error`	—

Event ID 468909 — The WinRM service received an error while trying to unloading a data or event source: DLL=".

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service received an error while trying to unloading a data or event source: DLL="%1" 

 User Action 
 Please check if there is an updated version of this file available: "%1". 

 Additional Data 
 Shutting down %1 failed with error="%2" (%%%2).

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 468910 — The WinRM service is listening on the default %1 port %2 and on %1 (Compatibility) port %3 for WS-Management requests.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is listening on the default %1 port %2 and on %1 (Compatibility) port %3 for WS-Management requests. %1 port %3 is no longer the default port for the WinRM service.

 If you want to disable the listener on the (Compatibility) port %3, run the following command:

 Winrm set winrm/config/service @{%4="False"}

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 468911 — The WinRM service has terminated %1 unauthenticated connections over the past %2 minutes to maintain healthy system state.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service has terminated %1 unauthenticated connections over the past %2 minutes to maintain healthy system state. This will likely happen if the service is overloaded or if the service is under an authentication based attack. 

 Action: 
Enable and observe Windows Remote Management Analytic log and look for warning events with Id 1843. These include additional information about the clients that got abruptly terminated.

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 3221734403 — The WinRM service is stopping because there was a failure registering for changes to the IP addresses.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is stopping because there was a failure registering for changes to the IP addresses. 

 User Action 
 Restart the WinRM service. 

 Additional Data 
 The error code was %1.

Fields

Name	Description
`param1`	—

Event ID 3221734404 — The WinRM service is stopping because there was a failure registering for changes to the configuration.

Provider: Microsoft-Windows-WinRM
Channel: Operational

Message

The WinRM service is stopping because there was a failure registering for changes to the configuration. 

 User Action 
 Restart the WinRM service. 

 Additional Data 
 The error code was %1.

Fields

Name	Description
`param1`	—