Microsoft-Windows-WinRM
326 events across 4 channels
Event ID 2 — Initializing WSMan API
#Description
Initializing WSMan API.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:21:29.458003+00:00",
"event_record_id": 96,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3 — Initialization of WSMan API failed, error code errorCode.
Event ID 4 — Deinitializing WSMan API
Description
Deinitializing WSMan API.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 2,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2025-12-31T19:35:53.792427+00:00",
"event_record_id": 379,
"correlation": {
"ActivityID": "448C0251-84E6-4F2F-9CCC-D1000CB02549"
},
"execution": {
"process_id": 5364,
"thread_id": 5972
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 5 — Deinitialization of WSMan API failed, error code errorCode.
Event ID 6 — Creating WSMan Session.
#Description
Creating WSMan Session. The connection string is: connection.
Message #
Fields #
| Name | Description |
|---|---|
connection UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 6,
"version": 0,
"level": 4,
"task": 3,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:21:29.465878+00:00",
"event_record_id": 98,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"connection": "localhost:47001/WSMan?MSP=7a83d074-bb86-4e52-aa3e-6cc73cc066c8;PSVersion=5.1.20348.617"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/winrm/events
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7 — WSMan Create Session operation failed, error code errorCode.
Event ID 8 — Closing WSMan Session
Description
Closing WSMan Session.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 8,
"version": 0,
"level": 4,
"task": 4,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2025-12-31T19:35:53.790604+00:00",
"event_record_id": 378,
"correlation": {
"ActivityID": "448C0251-84E6-4F2F-9CCC-D1000CB02549"
},
"execution": {
"process_id": 5364,
"thread_id": 5944
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 9 — Closing WSMan Session failed, error code errorCode.
Event ID 10 — Setting WSMan Session Option (optionCode) - optionName with value (optionValue) completed successfully.
#Description
Setting WSMan Session Option (optionCode) - optionName with value (optionValue) completed successfully.
Message #
Fields #
| Name | Description |
|---|---|
optionCode UInt32 | — |
optionName UnicodeString | — |
optionValue UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 10,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:21:29.476896+00:00",
"event_record_id": 106,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"optionCode": 16,
"optionName": "WSMAN_OPTION_TIMEOUTMS_SIGNAL_SHELL",
"optionValue": "60000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 11 — Creating WSMan shell with the ResourceUri: resourceUri and ShellId: shellId.
#Description
Creating WSMan shell with the ResourceUri: resourceUri and ShellId: shellId.
Message #
Fields #
| Name | Description |
|---|---|
resourceUri UnicodeString | — |
shellId UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:21:29.628784+00:00",
"event_record_id": 107,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"resourceUri": "http://schemas.microsoft.com/powershell/Microsoft.Windows.ServerManagerWorkflows",
"shellId": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 12 — WSMan shell creation failed, error code errorCode.
Description
WSMan shell creation failed, error code errorCode.
Message #
Fields #
| Name | Description |
|---|---|
errorCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 12,
"version": 0,
"level": 2,
"task": 5,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2026-03-13T19:30:27.006555+00:00",
"event_record_id": 14808,
"correlation": {
"ActivityID": "FAA0C715-5567-44CF-A321-805CC6FC7AE4"
},
"execution": {
"process_id": 4488,
"thread_id": 4272
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"errorCode": 2150859195
},
"message": ""
}
Event ID 13 — Running WSMan command with CommandId: commandId.
#Description
Running WSMan command with CommandId: commandId.
Message #
Fields #
| Name | Description |
|---|---|
commandId UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 13,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:21:40.298938+00:00",
"event_record_id": 111,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4100
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"commandId": "69F6EC7D-1A5C-485B-B375-C500E469097C"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 14 — Running WSMan command failed, error code errorCode.
Event ID 15 — Closing WSMan command
#Description
Closing WSMan command.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:21:43.025520+00:00",
"event_record_id": 112,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 940
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 16 — Closing WSMan shell
#Description
Closing WSMan shell.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 16,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T08:14:07.049150+00:00",
"event_record_id": 63,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-93A4-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 3116
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 17 — Signaling WSMan shell
Description
Signaling WSMan shell.
Message #
Event ID 18 — Signaling WSMan shell; error code {errorCode}.
Event ID 19 — Closing WSMan operation
Description
Closing WSMan operation.
Message #
Event ID 20 — Sending input to the shell
Description
Sending input to the shell.
Message #
Event ID 21 — Sending input operation failed; error code {errorCode}.
Event ID 22 — Calling into WSMan to receive output from the shell
Description
Calling into WSMan to receive output from the shell.
Message #
Event ID 23 — WSMan receive operation failed; error code {errorCode}.
Event ID 24 — Calling into WSMan to receive output from the command
Description
Calling into WSMan to receive output from the command.
Message #
Event ID 26 — Getting message for error code {inputErrorCode} completed successfully.
Event ID 27 — Getting WSMan Session Option ({optionCode}).
Event ID 28 — Access Denied error: the apiCall API caller does not match the creator of the application object.
Event ID 29 — Initialization of WSMan API completed successfuly
#Description
Initialization of WSMan API completed successfuly.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 29,
"version": 0,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:21:29.458595+00:00",
"event_record_id": 97,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 30 — Deinitialization of WSMan API completed successfuly
Description
Deinitialization of WSMan API completed successfuly.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 30,
"version": 0,
"level": 4,
"task": 2,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2025-12-31T19:35:53.857484+00:00",
"event_record_id": 396,
"correlation": {
"ActivityID": "448C0251-84E6-4F2F-9CCC-D1000CB02549"
},
"execution": {
"process_id": 5364,
"thread_id": 5972
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 31 — WSMan Create Session operation completed successfuly
#Description
WSMan Create Session operation completed successfuly.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 31,
"version": 0,
"level": 4,
"task": 3,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:21:29.472808+00:00",
"event_record_id": 99,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 32 — Setting WSMan Session Option (optionCode) - optionName failed, error code errorCode.
Event ID 33 — Closing WSMan Session completed successfuly
Description
Closing WSMan Session completed successfuly.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 33,
"version": 0,
"level": 4,
"task": 4,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2025-12-31T19:35:53.857495+00:00",
"event_record_id": 397,
"correlation": {
"ActivityID": "448C0251-84E6-4F2F-9CCC-D1000CB02549"
},
"execution": {
"process_id": 5364,
"thread_id": 5944
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 34 — Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}.
Event ID 35 — Signaling WSMan command failed; error code {errorCode}.
Event ID 36 — Signaling WSMan command
Description
Signaling WSMan command.
Message #
Event ID 37 — Closing WSMan shell failed, error code errorCode.
Event ID 38 — Closing WSMan command failed, error code errorCode.
Event ID 39 — Closing WSMan {operationName} operation completed successfully.
Event ID 40 — Closing WSMan operationName operation failed, error code errorCode.
Event ID 41 — The WinRM protocol handler has began loading for application applicationID.
#Description
The WinRM protocol handler has began loading for application applicationID.
Message #
Fields #
| Name | Description |
|---|---|
applicationID UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 41,
"version": 0,
"level": 4,
"task": 14,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:21:54.064765+00:00",
"event_record_id": 113,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"applicationID": "ServerManager.exe"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 42 — The WinRM protocol handler completed unloading.
Description
The WinRM protocol handler completed unloading.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 42,
"version": 0,
"level": 4,
"task": 14,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2026-03-13T16:57:49.982619+00:00",
"event_record_id": 1760,
"correlation": {
"ActivityID": "028C3802-AD9E-000D-4C43-8D029EADDC01"
},
"execution": {
"process_id": 8788,
"thread_id": 10176
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 43 — The WinRM protocol handler unloaded prematurely due to the following error: errorMessage.
Event ID 44 — The WinRM protocol handler started to create a session at the following destination: destination.
#Description
The WinRM protocol handler started to create a session at the following destination: destination.
Message #
Fields #
| Name | Description |
|---|---|
destination UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 44,
"version": 0,
"level": 4,
"task": 15,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:38:36.208888+00:00",
"event_record_id": 276,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 2008
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"destination": "<local>"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 45 — The WinRM protocol handler closed the session.
#Description
The WinRM protocol handler closed the session.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 45,
"version": 0,
"level": 4,
"task": 15,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:38:36.283057+00:00",
"event_record_id": 283,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 4432
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 46 — The WinRM protocol session closed prematurely due to the following error: errorMessage.
Event ID 47 — The WinRM protocol session began an operation of type operationType to the server.
#Description
The WinRM protocol session began an operation of type operationType to the server. The operation accesses class className under the namespaceName namespace.
Message #
Fields #
| Name | Description |
|---|---|
operationType UnicodeString | — |
namespaceName UnicodeString | — |
className UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 47,
"version": 0,
"level": 4,
"task": 16,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:38:36.268345+00:00",
"event_record_id": 278,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0001-B210-ABE09F4AD801"
},
"execution": {
"process_id": 4444,
"thread_id": 4432
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"operationType": "GetClass",
"namespaceName": "root/microsoft/windows/smb",
"className": "MSFT_SmbServerConfiguration"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 48 — The WinRM protocol session successfully completed the operation.
#Description
The WinRM protocol session successfully completed the operation.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 48,
"version": 0,
"level": 4,
"task": 16,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:38:36.278922+00:00",
"event_record_id": 281,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0001-B210-ABE09F4AD801"
},
"execution": {
"process_id": 4444,
"thread_id": 4432
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 49 — The WinRM protocol operation failed due to the following error: errorMessage.
Description
The WinRM protocol operation failed due to the following error: errorMessage.
Message #
Fields #
| Name | Description |
|---|---|
errorCode UInt32 | — |
errorMessage UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 49,
"version": 0,
"level": 2,
"task": 16,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2026-03-13T16:57:49.042601+00:00",
"event_record_id": 1757,
"correlation": {
"ActivityID": "028C3802-AD9E-000D-4C43-8D029EADDC01"
},
"execution": {
"process_id": 8788,
"thread_id": 9388
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"errorCode": 2150859195,
"errorMessage": "The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config."
},
"message": ""
}
Event ID 64 — Auto-detecting proxy settings
Description
Auto-detecting proxy settings.
Message #
Event ID 65 — Proxy AutoDetect done.
Event ID 66 — Setting proxy info Proxy list: {proxyList} Bypass list: {bypassList}.
Event ID 80 — Sending the request for operation {operationName} to destination machine and port {url}:{port}.
Event ID 81 — Processing client request for operation {operationName}.
Event ID 82 — Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>.
Event ID 83 — Leaving the plugin for operation {operation}.
Event ID 84 — The maximum number of users (users) executing shell operations has been exceeded.
Event ID 85 — The senderName user is allowed a maximum number of concurrentShells concurrent shells, which has been exceeded.
Event ID 86 — The WSMan service could not launch a host process to process the given request.
Event ID 87 — The WSMan host process was unexpectedly terminated.
#Description
The WSMan host process was unexpectedly terminated. Error code errorCode.
Message #
Fields #
| Name | Description |
|---|---|
errorCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 87,
"version": 0,
"level": 2,
"task": 9,
"opcode": 0,
"keywords": 4611686018427387908,
"time_created": "2022-04-07T08:14:06.985298+00:00",
"event_record_id": 62,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-F00E-7BDD9E4AD801"
},
"execution": {
"process_id": 2576,
"thread_id": 4764
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"errorCode": 1726
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 90 — RunAs was disabled by Group Policy; WSMan service has erased all RunAs credentials.
Description
RunAs was disabled by Group Policy; WSMan service has erased all RunAs credentials.
Message #
Event ID 91 — Creating WSMan shell on server with ResourceUri: resourceUri.
#Description
Creating WSMan shell on server with ResourceUri: resourceUri.
Message #
Fields #
| Name | Description |
|---|---|
resourceUri UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 91,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 4611686018427387908,
"time_created": "2022-04-07T17:21:30.499992+00:00",
"event_record_id": 108,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0001-35B9-AAE09F4AD801"
},
"execution": {
"process_id": 4644,
"thread_id": 4428
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"resourceUri": "http://schemas.microsoft.com/powershell/Microsoft.Windows.ServerManagerWorkflows"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/winrm/events
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 129 — Received the response from Network layer; status: {status}.
Description
Received the response from Network layer; status: {status}.
Message #
Fields #
| Name | Description |
|---|---|
status | — NTSTATUS reference |
Event ID 130 — Received the response from Network layer; status: {status}.
Description
Received the response from Network layer; status: {status}.
Message #
Fields #
| Name | Description |
|---|---|
status | — NTSTATUS reference |
Event ID 131 — Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: location.
Event ID 132 — WSMan operation operationName completed successfully.
#Description
WSMan operation operationName completed successfully.
Message #
Fields #
| Name | Description |
|---|---|
operationName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 132,
"version": 0,
"level": 4,
"task": 10,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2022-04-07T17:38:36.279410+00:00",
"event_record_id": 282,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 4908
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"operationName": "Invoke"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 133 — Sending response error packet for ActionURI: {actionUri}.
Event ID 134 — Sending response for operation {operationName}.
Event ID 135 — Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT, using next proxy
Description
Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT, using next proxy.
Message #
Event ID 136 — Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED, using next proxy
Description
Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED, using next proxy.
Message #
Event ID 137 — Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved.
Description
Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved. Aborting the operation.
Message #
Event ID 138 — The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)
Description
The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT).
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 138,
"version": 0,
"level": 2,
"task": 10,
"opcode": 0,
"keywords": 4611686018427387906,
"time_created": "2026-03-13T16:58:52.389986+00:00",
"event_record_id": 1804,
"correlation": {
"ActivityID": "028C3802-AD9E-0009-DEA5-8C029EADDC01"
},
"execution": {
"process_id": 1528,
"thread_id": 10360
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 139 — The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)
Description
The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE).
Message #
Event ID 140 — Sending HTTP error back to the client due to a transport failure.
Event ID 141 — Sending timeout response for operation: {operationName}.
Event ID 142 — WSMan operation operationName failed, error code errorCode.
#Description
WSMan operation operationName failed, error code errorCode.
Message #
Fields #
| Name | Description |
|---|---|
operationName UnicodeString | — |
errorCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 142,
"version": 0,
"level": 2,
"task": 10,
"opcode": 2,
"keywords": 4611686018427387906,
"time_created": "2023-11-06T00:47:48.782597+00:00",
"event_record_id": 84,
"correlation": {
"ActivityID": "E4DB489E-1037-0000-9DAB-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 16312
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"operationName": "Enumeration",
"errorCode": 2150858770
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 143 — Received the response from Network layer; status: 200 (HTTP_STATUS_OK)
Description
Received the response from Network layer; status: 200 (HTTP_STATUS_OK).
Message #
Event ID 145 — WSMan operation operationName started with resourceUri resourceUri.
#Description
WSMan operation operationName started with resourceUri resourceUri.
Message #
Fields #
| Name | Description |
|---|---|
operationName UnicodeString | — |
resourceUri UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 145,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": 4611686018427387906,
"time_created": "2023-11-06T00:47:39.837811+00:00",
"event_record_id": 81,
"correlation": {
"ActivityID": "E4DB489E-1037-0000-9DAB-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 16220
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"operationName": "Enumeration",
"resourceUri": "http://schemas.microsoft.com/wbem/wsman/1/config/listener"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 160 — Authenticating the user using {authentication} mechanism.
Event ID 161 — authFailureMessage.
#Message #
Fields #
| Name | Description |
|---|---|
authFailureMessage UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 161,
"version": 0,
"level": 2,
"task": 7,
"opcode": 0,
"keywords": 4611686018427387914,
"time_created": "2023-11-06T00:47:48.782381+00:00",
"event_record_id": 83,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-A38B-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 16312
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"authFailureMessage": "The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: \"winrm quickconfig\"."
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 162 — Authenticating the user failed.
Description
Authenticating the user failed. The credentials didn't work.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 162,
"version": 0,
"level": 2,
"task": 7,
"opcode": 0,
"keywords": 4611686018427387914,
"time_created": "2026-03-13T17:03:29.975606+00:00",
"event_record_id": 1873,
"correlation": {
"ActivityID": "028C3802-AD9E-0009-E2AC-8C029EADDC01"
},
"execution": {
"process_id": 8184,
"thread_id": 4952
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 163 — The authentication mechanism (authClient) requested by the client is not supported by the server.
Event ID 164 — The destination computer (destinationMachine) returned an 'access denied' error.
Event ID 165 — The authentication mechanism requested by the proxy is not supported by the client.
Description
The authentication mechanism requested by the proxy is not supported by the client. The only proxy authentication mechanism supported are Negotiate, Basic or Digest.
Message #
Fields #
| Name | Description |
|---|---|
authProxy1 UnicodeString | — |
authProxy2 UnicodeString | — |
authProxy3 UnicodeString | — |
authProxy4 UnicodeString | — |
authProxy5 UnicodeString | — |
Event ID 166 — The chosen authentication mechanism is {auth}.
Event ID 168 — Sending HTTP 401 response to the client and disconnect the connection after sending the response
Description
Sending HTTP 401 response to the client and disconnect the connection after sending the response.
Message #
Event ID 169 —
#Fields #
| Name | Description |
|---|---|
username | — |
authenticationMechanism | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 169,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 4611686018427387916,
"time_created": "2019-05-20T15:54:32.564901+00:00",
"event_record_id": 861,
"correlation": {
"ActivityID": "8534C364-2CC0-0001-C84D-A5F46C0FD501"
},
"execution": {
"process_id": 1204,
"thread_id": 3068
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "IEWIN7",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"username": "iewin7\\ieuser",
"authenticationMechanism": "NTLM"
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 170 — The authentication using client certificate with subject {subject} done successfully.
Event ID 171 — Authenticating the user with the proxy failed.
Description
Authenticating the user with the proxy failed. The credentials didn't work.
Message #
Event ID 172 — The server certificate on the destination computer (machineName:port) has the following errors: error1 error2 error3 error4 error5 error6 error7 error8.
Description
The server certificate on the destination computer (machineName:port) has the following errors: error1 error2 error3 error4 error5 error6 error7 error8. Fix the server certificate and try again.
Message #
Fields #
| Name | Description |
|---|---|
machineName UnicodeString | — |
port UnicodeString | — |
error1 UnicodeString | — |
error2 UnicodeString | — |
error3 UnicodeString | — |
error4 UnicodeString | — |
error5 UnicodeString | — |
error6 UnicodeString | — |
error7 UnicodeString | — |
error8 UnicodeString | — |
Event ID 173 — The WinRM service has terminated param1 unauthenticated connections over the past param2 minutes to maintain healthy system state.
Event ID 192 — The authorization of the user failed with error errorCode.
Description
The authorization of the user failed with error errorCode.
Message #
Fields #
| Name | Description |
|---|---|
errorCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 192,
"version": 0,
"level": 4,
"task": 8,
"opcode": 0,
"keywords": 4611686018427387916,
"time_created": "2026-03-13T17:30:10.610317+00:00",
"event_record_id": 2649,
"correlation": {
"ActivityID": "DF92C490-B30B-0005-A2C8-92DF0BB3DC01"
},
"execution": {
"process_id": 6952,
"thread_id": 2464
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"errorCode": 5
},
"message": ""
}
Event ID 193 — Request for user param1 (param2) will be executed using WinRM virtual account param3 (param4).
#Description
Request for user param1 (param2) will be executed using WinRM virtual account param3 (param4).
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 193,
"version": 0,
"level": 4,
"task": 8,
"opcode": 0,
"keywords": 4611686018427387916,
"time_created": "2019-05-20T15:54:32.564901+00:00",
"event_record_id": 863,
"correlation": {
"ActivityID": "8534C364-2CC0-0001-C84D-A5F46C0FD501"
},
"execution": {
"process_id": 1204,
"thread_id": 3068
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "IEWIN7",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 194 — The authorization of the user failed with error {errorCode}.
Event ID 208 — The Winrm service is starting
#Description
The Winrm service is starting.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 208,
"version": 0,
"level": 4,
"task": 11,
"opcode": 1,
"keywords": 4611686018427387908,
"time_created": "2022-04-07T16:53:23.340882+00:00",
"event_record_id": 82,
"correlation": {},
"execution": {
"process_id": 2416,
"thread_id": 2528
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 209 — The Winrm service started successfully
#Description
The Winrm service started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 209,
"version": 0,
"level": 4,
"task": 11,
"opcode": 0,
"keywords": 4611686018427387908,
"time_created": "2022-04-07T16:53:23.453821+00:00",
"event_record_id": 83,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0001-35B9-AAE09F4AD801"
},
"execution": {
"process_id": 2416,
"thread_id": 2528
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 210 — The WinRM service is unable to start because of a failure during initialization.
Event ID 211 — The Winrm service is stopping
#Description
The Winrm service is stopping.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 211,
"version": 0,
"level": 4,
"task": 11,
"opcode": 0,
"keywords": 4611686018427387908,
"time_created": "2022-04-07T16:45:07.009526+00:00",
"event_record_id": 3,
"correlation": {
"ActivityID": "C1DC836A-4A9E-0001-8686-DCC19E4AD801"
},
"execution": {
"process_id": 2348,
"thread_id": 2608
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 212 — The Winrm service was stopped successfully
#Description
The Winrm service was stopped successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 212,
"version": 0,
"level": 4,
"task": 11,
"opcode": 2,
"keywords": 4611686018427387908,
"time_created": "2022-04-07T16:45:07.526668+00:00",
"event_record_id": 4,
"correlation": {
"ActivityID": "C1DC836A-4A9E-0001-8686-DCC19E4AD801"
},
"execution": {
"process_id": 2348,
"thread_id": 2608
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 213 — The WSMan service could not load current configuration settings as the settings are corrupted.
Description
The WSMan service could not load current configuration settings as the settings are corrupted. The service is started with default settings instead.
Message #
Event ID 214 — The WSMan client could not load current configuration settings as the settings are corrupted.
Description
The WSMan client could not load current configuration settings as the settings are corrupted. The client is operating with default settings instead.
Message #
Event ID 215 — The WSMan service failed to read configuration of the following plugin.
Event ID 216 — The WSMan service failed to restart the plugins marked for AutoRestart.
Event ID 217 — The WSMan service failed to restart the pluginName plugin on service startup.
Event ID 218 — The WSMan service successfully restarted the following plugin on service startup: pluginName.
Event ID 219 — The WSMan shell instance param1 will no longer support disconnect reconnect functionality because a non-supported request was sent by the client.
Event ID 224 — message.
Message #
Fields #
| Name | Description |
|---|---|
message UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 224,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 4611686018427387908,
"time_created": "2026-03-13T17:01:46.087745+00:00",
"event_record_id": 873,
"correlation": {
"ActivityID": "A84E255E-A05B-0007-9C29-4EA85BA0DC01"
},
"execution": {
"process_id": 1732,
"thread_id": 9060
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"message": "Enable the WinRM firewall exception. "
},
"message": ""
}
Event ID 229 — The WinRM param1 failed to register for group policy change notifications.
Event ID 230 — Deletion of registry key param1 resulted in access denied.
Event ID 254 — Activity Transfer
#Description
Activity Transfer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
"event_source_name": "",
"event_id": 254,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387942,
"time_created": "2023-11-06T00:47:48.782378+00:00",
"event_record_id": 82,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-A38B-E4E43710DA01",
"RelatedActivityID": "E4DB489E-1037-0000-9DAB-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 16312
},
"channel": "Microsoft-Windows-WinRM/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 255 — Activity Transfer
Description
Activity Transfer.
Message #
Event ID 257 — Initializing WSMan API
Description
Initializing WSMan API.
Message #
Event ID 258 — Initialization of WSMan API failed; error code {errorCode}.
Event ID 259 — Deinitializing WSMan API
Description
Deinitializing WSMan API.
Message #
Event ID 260 — Deinitialization of WSMan API failed; error code {errorCode}.
Event ID 261 — Creating WSMan Session.
Event ID 262 — WSMan Create Session operation failed; error code {errorCode}.
Event ID 263 — Closing WSMan Session
Description
Closing WSMan Session.
Message #
Event ID 264 — Closing WSMan Session failed; error code {errorCode}.
Event ID 265 — Setting WSMan Session Option ({optionCode}) with value ({optionValue}) completed successfuly.
Event ID 266 — Creating WSMan shell with the ResourceUri: {resourceUri}.
Event ID 267 — WSMan shell creation failed; error code {errorCode}.
Event ID 268 — Running WSMan command
Description
Running WSMan command.
Message #
Event ID 269 — Running WSMan command failed; error code {errorCode}.
Event ID 270 — Closing WSMan command
Description
Closing WSMan command.
Message #
Event ID 271 — Closing WSMan shell
Description
Closing WSMan shell.
Message #
Event ID 272 — Signaling WSMan shell
Description
Signaling WSMan shell.
Message #
Event ID 273 — Signaling WSMan shell; error code {errorCode}.
Event ID 274 — Closing WSMan operation
Description
Closing WSMan operation.
Message #
Event ID 275 — Sending input to the shell
Description
Sending input to the shell.
Message #
Event ID 276 — Sending input operation failed; error code {errorCode}.
Event ID 277 — Calling into WSMan to receive output from the shell
Description
Calling into WSMan to receive output from the shell.
Message #
Event ID 278 — WSMan receive operation failed; error code {errorCode}.
Event ID 279 — Calling into WSMan to receive output from the command
Description
Calling into WSMan to receive output from the command.
Message #
Event ID 280 — Getting message for error code {inputErrorCode} completed successfully.
Event ID 281 — Getting WSMan Session Option ({optionCode}).
Event ID 282 — Access Denied error: the {apiCall} API caller does not match the creator of the application object.
Event ID 283 — Plug-in reporting context for operation operationName.
Event ID 284 — Plug-in reporting data object for operation operationName.
Event ID 285 — Plug-in reporting data object and EPR for operation operationName.
Event ID 286 — Plug-in reporting data object and bookmark for operation operationName.
Event ID 287 — Plug-in reporting data for operation Receive
Description
Plug-in reporting data for operation Receive.
Message #
Event ID 288 — Plug-in reporting operation complete for operationName.
Event ID 289 — Plug-in getting operational information for parameter parameters and operation operationName.
Event ID 290 — Plug-in reporting the authorization for user username completed with error code errorCode.
Event ID 291 — Plug-in reporting the authorization operation completed with error errorCode for operation operation and ResourceUri resourceUri.
Event ID 292 — Updating the quota for the user username with error code errorCode.
Event ID 293 — Initialization of WSMan API completed successfuly
Description
Initialization of WSMan API completed successfuly.
Message #
Event ID 294 — Deinitialization of WSMan API completed successfuly
Description
Deinitialization of WSMan API completed successfuly.
Message #
Event ID 295 — WSMan Create Session operation completed successfuly
Description
WSMan Create Session operation completed successfuly.
Message #
Event ID 296 — Setting WSMan Session Option ({optionCode}) failed; error code {errorCode}.
Event ID 297 — Closing WSMan Session completed successfuly
Description
Closing WSMan Session completed successfuly.
Message #
Event ID 298 — Getting message for error code {inputErrorCode} failed; the resulting error code is {errorCode}.
Event ID 299 — Signaling WSMan command failed; error code {errorCode}.
Event ID 300 — Signaling WSMan command
Description
Signaling WSMan command.
Message #
Event ID 301 — Closing WSMan shell failed; error code {errorCode}.
Event ID 302 — Closing WSMan command failed; error code {errorCode}.
Event ID 303 — Closing WSMan {operationName} operation completed successfully.
Event ID 304 — Closing WSMan {operationName} operation failed; error code {errorCode}.
Event ID 305 — Sending input to the command
Description
Sending input to the command.
Message #
Event ID 306 — The WinRM service loaded the following plugin: provider (path).
Event ID 307 — The WinRM service unloaded the following plugin: provider (path).
Event ID 308 — The plugin called WSManPluginGetConfiguration with the parameter Flags and obtained a return value of Result.
Event ID 309 — The plugin called WSManPluginReportCompletion with the parameter Flags and obtained a return value of Result.
Event ID 310 — The plugin Plugin is being shut down because it was idle for longer than the configured HostIdleTimeoutSecs quota.
Event ID 311 — Signaling WSMan command failed, error code errorCode.
Event ID 312 — Signaling WSMan command
Description
Signaling WSMan command.
Message #
Event ID 313 — Sending input to the command
Description
Sending input to the command.
Message #
Event ID 314 — Sending input to the shell
Description
Sending input to the shell.
Message #
Event ID 315 — Sending input operation failed, error code errorCode.
Event ID 316 — Calling into WSMan to receive output from the shell
Description
Calling into WSMan to receive output from the shell.
Message #
Event ID 317 — WSMan receive operation failed, error code errorCode.
Event ID 318 — Calling into WSMan to receive output from the command
Description
Calling into WSMan to receive output from the command.
Message #
Event ID 319 — Getting message for error code inputErrorCode completed successfully.
Event ID 320 — Getting WSMan Session Option (optionCode) - optionName.
Event ID 321 — Signaling WSMan shell
Description
Signaling WSMan shell.
Message #
Event ID 322 — Signaling WSMan shell, error code errorCode.
Event ID 323 — Closing WSMan operation
Description
Closing WSMan operation.
Message #
Event ID 324 — Closing WSMan operationName operation completed successfully.
Event ID 325 — Disconnecting shell with Id : argument.
Event ID 326 — Disconnecting shell failed, error code errorCode.
Event ID 327 — Reconnecting shell with Id : argument.
Event ID 328 — Reconnecting shell failed, error code errorCode.
Event ID 329 — Connecting shell with Id : argument.
Event ID 330 — Connecting shell failed, error code errorCode.
Event ID 331 — Reconnecting shell command with Id : argument.
Event ID 332 — Reconnecting shell command failed, error code errorCode.
Event ID 333 — Connecting shell command with Id : argument.
Event ID 334 — Connecting shell command failed, error code errorCode.
Event ID 512 — Auto-detecting proxy settings
Description
Auto-detecting proxy settings.
Message #
Event ID 513 — Proxy AutoDetect done.
Event ID 514 — Setting proxy info.
Event ID 768 — Processing client request for operation {operationName}.
Event ID 769 — Entering the plugin for operation {operation} with a ResourceURI of <{resourceURI}>.
Event ID 770 — Leaving the plugin for operation {operation}.
Event ID 771 — SOAP [client sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.
Event ID 772 — SOAP [listener receiving index index of totalChunks total chunks (bytes bytes)] SoapDocument.
Event ID 773 — The {senderName} user is allowed a maximum number of {concurrentShells} concurrent shells; which has been exceeded.
Event ID 774 — The senderName user is allowed a maximum number of concurrentOperations concurrent operations, which has been exceeded.
Event ID 775 — The user load quota of requests requests per windowTime seconds has been exceeded.
Event ID 776 — The system load quota of requests requests per windowTime seconds has been exceeded.
Event ID 777 — The maximum number of users ({users}) executing shell operations has been exceeded.
Event ID 778 — Sending the request for operation {operationName} to destination machine and port {url}:{port}.
Event ID 779 — SOAP [client sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.
Event ID 780 — The WinRM param1 has encountered network connectivity issues.
Event ID 781 — The WinRM Client is attempting to re-establish a network connection.
Description
The WinRM Client is attempting to re-establish a network connection.
Message #
Event ID 782 — The WinRM Service has detected a new network connection from the client.
Description
The WinRM Service has detected a new network connection from the client.
Message #
Event ID 783 — The WinRM param1 has successfully re-established a network connection.
Event ID 784 — The WinRM param1 failed to re-establish a network connection and is reporting a failure.
Event ID 785 — The WSMan host process was started for user userName.
Event ID 786 — The WSMan host process was terminated for user userName.
Event ID 787 — Sending the request for operation operationName to destination machine and port url:port.
Event ID 788 — Processing client request for operation operationName.
Event ID 789 — Entering the plugin for operation operation with a ResourceURI of <resourceURI>.
Event ID 790 — Leaving the plugin for operation operation.
Event ID 791 — The WinRM service failed to enumerate DASH/SMASH specifications with MI error: errorCode.
Event ID 1024 — Sending response for operation {operationName}.
Event ID 1025 — Sending response error packet for ActionURI: actionUri.
Event ID 1026 — SOAP [client receiving index index of totalChunks total chunks (bytes bytes)] SoapDocument.
Event ID 1027 — SOAP [listener sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.
Event ID 1028 — Received the response from Network layer; status: {status}.
Description
Received the response from Network layer; status: {status}.
Message #
Fields #
| Name | Description |
|---|---|
status | — NTSTATUS reference |
Event ID 1029 — Received the response from Network layer; status: {status}.
Description
Received the response from Network layer; status: {status}.
Message #
Fields #
| Name | Description |
|---|---|
status | — NTSTATUS reference |
Event ID 1030 — Received redirect status code from Network layer; status: 302 (HTTP_STATUS_REDIRECT); location: {location}.
Event ID 1031 — WSMan operation {operationName} completed successfully.
Event ID 1032 — Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT; using next proxy
Description
Re-sending the request as a result of ERROR_WINHTTP_CANNOT_CONNECT; using next proxy.
Message #
Event ID 1033 — Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED; using next proxy
Description
Re-sending the request as a result of ERROR_WINHTTP_NAME_NOT_RESOLVED; using next proxy.
Message #
Event ID 1034 — Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved.
Description
Network layer returned ERROR_WINHTTP_NAME_NOT_RESOLVED - The server name cannot be resolved. Aborting the operation.
Message #
Event ID 1035 — The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT)
Description
The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT).
Message #
Event ID 1036 — The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE)
Description
The client got a login failure from the network layer (ERROR_WINHTTP_LOGIN_FAILURE).
Message #
Event ID 1037 — The WSMan service could not launch a host process to process the given request.
Event ID 1038 — The WSMan host process was unexpectedly terminated.
Event ID 1039 — Sending HTTP error back to the client due to a transport failure.
Event ID 1040 — Sending timeout response for operation: {operationName}.
Event ID 1041 — Enumeration is shutting down
Description
Enumeration is shutting down.
Message #
Event ID 1042 — WSMan operation {operationName} failed; error code {errorCode}.
Event ID 1043 — Subscription is shutting down
Description
Subscription is shutting down.
Message #
Event ID 1044 — SOAP [listener sending index index of totalChunks total chunks (bytes bytes)] SoapDocument.
Event ID 1045 — Received the response from Network layer; status: 200 (HTTP_STATUS_OK)
Description
Received the response from Network layer; status: 200 (HTTP_STATUS_OK).
Message #
Event ID 1046 — An extended semantics callback timed out for the operationName operation.
Event ID 1047 — Received the response from Network layer; status: status.
Description
Received the response from Network layer; status: status.
Message #
Fields #
| Name | Description |
|---|---|
status UnicodeString | — NTSTATUS reference |
Event ID 1048 — Sending HTTP error back to the client due to a transport failure.
Event ID 1049 — Sending timeout response for operation: operationName.
Event ID 1050 — Sending response for operation operationName.
Event ID 1051 — Received the response from Network layer; status: status.
Description
Received the response from Network layer; status: status.
Message #
Fields #
| Name | Description |
|---|---|
status UInt32 | — NTSTATUS reference |
Event ID 1052 — WSMan operation operationName completed successfully.
Event ID 1053 — WSMan operation operationName got suspended because of WSMan Shell disconnection.
Event ID 1054 — WSMan operation operationName resuming because of WSMan Shell reconnection.
Event ID 1280 — Sending HTTP 401 response to the client and disconnect the connection after sending the response
Description
Sending HTTP 401 response to the client and disconnect the connection after sending the response.
Message #
Event ID 1281 — User {username} authenticated successfully using {authenticationMechanism} authentication.
Event ID 1282 — The authentication using client certificate with subject {subject} done successfully.
Event ID 1283 — Authenticating the user using {authentication} mechanism.
Event ID 1285 — Authenticating the user failed.
Description
Authenticating the user failed. The credentials didn't work.
Message #
Event ID 1286 — The authentication mechanism ({authClient}) requested by the client is not supported by the server.
Event ID 1287 — The destination computer ({destinationMachine}) returned an 'access denied' error.
Event ID 1288 — The authentication mechanism requested by the proxy is not supported by the client.
Event ID 1289 — The chosen authentication mechanism is {auth}.
Event ID 1291 — Network layer AutoLogon policy was set to Low as a result of a HTTP 401 response from Network layer
Description
Network layer AutoLogon policy was set to Low as a result of a HTTP 401 response from Network layer.
Message #
Event ID 1292 — Network layer AutoLogon policy was set to High
Description
Network layer AutoLogon policy was set to High.
Message #
Event ID 1293 — The chosen authentication mechanism is auth.
Event ID 1294 — Sending HTTP 401 response to the client and disconnect the connection after sending the response
Description
Sending HTTP 401 response to the client and disconnect the connection after sending the response.
Message #
Event ID 1295 — User username authenticated successfully using authenticationMechanism authentication.
Event ID 1296 — The authentication using client certificate with subject subject done successfully.
Event ID 1297 — Authenticating the user using authentication mechanism.
Event ID 1536 — Authorizing the user
Description
Authorizing the user.
Message #
Event ID 1537 — The authorization of the user was done successfully
Description
The authorization of the user was done successfully.
Message #
Event ID 1538 — The authorization of the user failed with error {errorCode}.
Event ID 1792 — The Winrm service is starting
Description
The Winrm service is starting.
Message #
Event ID 1793 — The Winrm service started successfully
Description
The Winrm service started successfully.
Message #
Event ID 1794 — The WinRM service is unable to start because of a failure during initialization.
Event ID 1795 — The Winrm service is stopping
Description
The Winrm service is stopping.
Message #
Event ID 1796 — The Winrm service was stopped successfully
Description
The Winrm service was stopped successfully.
Message #
Event ID 1797 — The WSMan service could not load current configuration settings as the settings are corrupted.
Message #
Event ID 1798 — The WSMan client could not load current configuration settings as the settings are corrupted.
Message #
Event ID 1799 — The WSMan service failed to read configuration of the following plugin: {pluginName}.
Event ID 1840 — An error was encountered while processing an operation.
Event ID 1841 — An error was encountered while processing an operation.
Event ID 1842 — Extra information.
Event ID 1843 — An unauthenticated connection from client clientIP is terminated.
Event ID 2048 — [Filename:- param1; Line:- param2; Function:- param3;] param4.
Event ID 2049 — [Filename:- param1; Line:- param2; Function:- param3; ErrorCode:- param4] param5.
Event ID 10148 —
#Fields #
| Name | Description |
|---|---|
Name | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
"event_source_name": "WinRM",
"event_id": 10148,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T16:53:23.372389+00:00",
"event_record_id": 1223,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Name": "Started Listening"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10149 —
#Fields #
| Name | Description |
|---|---|
Name | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
"event_source_name": "WinRM",
"event_id": 10149,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T16:45:07.008717+00:00",
"event_record_id": 157,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Name": "Stopped Listening"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10154 —
#Fields #
| Name | Description |
|---|---|
spn1 | — |
spn2 | — |
error | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WinRM",
"guid": "{A7975C8F-AC13-49F1-87DA-5A984A4AB417}",
"event_source_name": "WinRM",
"event_id": 10154,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T16:53:23.388188+00:00",
"event_record_id": 1224,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"spn1": "WSMAN/WIN-FPV0DSIC9O6.lab.local",
"spn2": "WSMAN/WIN-FPV0DSIC9O6",
"error": "1355"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 468853 — The WinRM service is not listening for requests since it failed to listen on at least one address and port.
Description
The WinRM service is not listening for requests since it failed to listen on at least one address and port.
Message #
Event ID 468854 — The WinRM service is not listening for param1 requests because there was a failure binding to the URL (param2) in HTTP.
Description
The WinRM service is not listening for param1 requests because there was a failure binding to the URL (param2) in HTTP.SYS.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service is not listening for |
param2 UnicodeString | requests because there was a failure binding to the URL ( |
Event ID 468855 — The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.
Event ID 468856 — The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL (param1) in HTTP.
Description
The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL (param1) in HTTP.SYS.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL ( |
param2 UnicodeString | The error code received from HTTP.sys is |
Event ID 468857 — The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.
Description
The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.SYS.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WS-Management client is not listening for pushed events because there was a failure binding to the URL ( |
param2 UnicodeString | The error code received from HTTP.sys was |
Event ID 468862 — The WinRM service cannot validate the client certificate because the revocation status of the certificate or one of the certificates in the certifi...
Description
The WinRM service cannot validate the client certificate because the revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Message #
Event ID 468863 — User authentication using Basic authentication scheme failed.
Event ID 468864 — The client certificate exceeded the maximum size allowed by the WinRM service.
Description
The client certificate exceeded the maximum size allowed by the WinRM service.
Message #
Event ID 468865 — Request processing failed because the WinRM service cannot load data or event source: DLL="param1" User Action Please check if "param1" exists.
Event ID 468866 — The SSL configuration for IP param1 and port param2 is shared with another service, such as Internet Information Services (IIS).
Event ID 468871 — The WinRM service is unable to start because of a failure during initialization.
Event ID 468872 — The WinRM service has received an unsecure HTTP connection from param1.
Event ID 468873 — The WinRM service has been configured to accept basic authentication for unsecure HTTP connections.
Description
The WinRM service has been configured to accept basic authentication for unsecure HTTP connections.
Message #
Event ID 468880 — The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (param1) in HTTP.
Description
The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (param1) in HTTP.SYS.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service is not listening for HTTP requests because there was a failure binding to the URL ( |
param2 UnicodeString | The error code received from HTTP.sys is |
Event ID 468881 — The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.
Description
The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.SYS.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WS-Management client is not listening for pushed events because there was a failure binding to the URL ( |
param2 UnicodeString | The error code received from HTTP.sys was |
Event ID 468882 — IP Filter param1 specified in the GPO policy for Auto Configuration of listeners is invalid and it will be ignored.
Event ID 468883 — The IP Range param1 is invalid and it will be ignored.
Event ID 468884 — The WinRM service is not listening for policy changes because there was a failure registering for changes to the contents of the WS-Management poli...
Event ID 468888 — The WinRM service encountered a catastrophic security failure.
Event ID 468889 — The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the IP address does not exist on the destination computer.
Description
The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the IP address does not exist on the destination computer. This listener was ignored during migration.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service cannot migrate the listener with IP address |
param2 UnicodeString | and Port |
Event ID 468890 — The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the IP address param3 does not exist on the destination computer.
Description
The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the IP address param3 does not exist on the destination computer. This listener was ignored during migration.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service cannot migrate the listener with Address |
param2 UnicodeString | and Transport |
param3 UnicodeString | because the IP address |
Event ID 468891 — The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the MAC address param3 does not exist on the destination computer.
Description
The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the MAC address param3 does not exist on the destination computer. This listener was ignored during migration.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service cannot migrate the listener with IP address |
param2 UnicodeString | and Port |
param3 UnicodeString | because the MAC address |
Event ID 468892 — The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the MAC address param3 does not exist on the destination machine.
Description
The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the MAC address param3 does not exist on the destination machine. This listener was ignored during migration.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service cannot migrate the listener with Address |
param2 UnicodeString | and Transport |
param3 UnicodeString | because the MAC address |
Event ID 468893 — The WinRM service cannot migrate the listener with IP address param1, Port param2 and Transport param3.
Description
The WinRM service cannot migrate the listener with IP address param1, Port param2 and Transport param3. A listener that has Address=param4 and Transport=param5 configuration already exists.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service cannot migrate the listener with IP address |
param2 UnicodeString | , Port |
param3 UnicodeString | and Transport |
param4 UnicodeString | . A listener that has Address= |
param5 UnicodeString | and Transport= |
Event ID 468894 — The WinRM service cannot migrate the listener with Address param1 and Transport param2.
Description
The WinRM service cannot migrate the listener with Address param1 and Transport param2. A listener that has the same Address and Transport configuration already exists.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service cannot migrate the listener with Address |
param2 UnicodeString | and Transport |
Event ID 468895 — The WinRM service had a failure during migration.
Event ID 468896 — The WinRM service had a failure reading the current configuration and is stopping.
Event ID 468897 — The WinRM service had a failure applying the current configuration and is stopping.
Event ID 468898 — The WinRM service had a failure reading the current configuration and is stopping.
Description
The WinRM service had a failure reading the current configuration and is stopping.
Message #
Event ID 468899 — The host name pattern "param1" is invalid and it will be ignored.
Event ID 468900 — The WinRM service is listening for WS-Management requests.
Description
The WinRM service is listening for WS-Management requests.
Message #
Event ID 468901 — The WinRM service is not listening for WS-Management requests.
Description
The WinRM service is not listening for WS-Management requests.
Message #
Event ID 468902 — The WinRM service could not use the following listener to receive WS-Management requests.
Event ID 468903 — The WinRM service had a failure (param1) reading configuration during ip address change notification.
Event ID 468904 — The WinRM service successfully processed an address change notification.
Description
The WinRM service successfully processed an address change notification.
Message #
Event ID 468905 — The WSMan IIS module failed to read configuration.
Event ID 468906 — The WinRM service failed to create the following SPNs: spn1; spn2.
Event ID 468907 — The WSMan service failed to read configuration of the following plugin.
Event ID 468908 — The WinRM service failed to initialize CredSSP.
Event ID 468909 — The WinRM service received an error while trying to unloading a data or event source: DLL="param1" User Action Please check if there is an updated vers...
Event ID 468910 — The WinRM service is listening on the default param1 port param2 and on param1 (Compatibility) port param3 for WS-Management requests.
Description
The WinRM service is listening on the default port and on (Compatibility) port for WS-Management requests. port is no longer the default port for the WinRM service.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The WinRM service is listening on the default |
param2 UnicodeString | — |
param3 UnicodeString | (Compatibility) port |
param4 UnicodeString | Winrm set winrm/config/service @{ |