Message

Error %1 encountered when trying to load MOF %2 while recovering .MOF file marked with autorecover.

Fields

Message

Event filter with query "%1" could not be reactivated in namespace "%2" because of error %3. Events cannot be delivered through this filter until the problem is corrected.

Fields

Message

Event provider %1 attempted to register a syntactically invalid query "%2". The query will be ignored. The query can be corrected by examining the WMI repository with CIM studio and updating the permanent subscriptions for the listed provider and query. If the permanent subscription is created with MOF file coming with an installed product, the application vendor must be contacted to correct the faulty registration.

Fields

Message

Event provider %1 attempted to register an intrinsic event query "%2" in %3 namespace for which the set of target object classes could not be determined. The query will be ignored.

Fields

Message

Event provider %1 attempted to register query "%2" in %3 namespace which is too broad.  Event providers cannot provide events that are provided by the system. The query will be ignored. Contact the application vendor.

Fields

Message

Event provider %1 attempted to register query "%2" whose target class "%3" in %4 namespace does not exist. The query will be ignored.

Fields

Message

Event provider %1 attempted to register query "%2" whose target class "%3" is not an event class. The query will be ignored. Contact the application vendor.

Fields

Message

Failed to Initialize WMI Core or Provider SubSystem or Event SubSystem with error number %1. This could be due to a badly installed version of WMI, WMI repository upgrade failure, insufficient disk space or insufficient memory. WMI will try to re-create the WMI Repository by auto-recovery mechanism on its next restart.

Fields

Message

Error number %1 was returned in trying to initialize Windows Management Instrumentation Service. This could be due to a badly installed version of WMI, WMI repository upgrade failure, insufficient disk space or insufficient memory.

Fields

Message

Windows Management Instrumentation ADAP failed to connect to namespace %1 with the following error %2

Fields

Message

Windows Management Instrumentation ADAP was unable to save object %1 in namespace %2 because of the following error %3

Fields

Message

Windows Management Instrumentation ADAP was unable to create the Win32_Perf base class in %1:Result=%2

Fields

Message

Windows Management Instrumentation ADAP was unable to create the Win32_PerfRawData base class %1

Fields

Message

A provider, %1, has been registered in the Windows Management Instrumentation namespace %2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Fields

Example Event

system:
  provider: Microsoft-Windows-WMI
  guid: 1EDEEE53-0AFE-4609-B846-D8C0B2075B1F
  event_source_name: ''
  event_id: 63
  version: 2
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-04T11:12:30.841914+00:00'
  event_record_id: 181
  correlation: {}
  execution:
    process_id: 1136
    thread_id: 2060
  channel: Application
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-18
user_data:
  data_0x8000003F:
    Provider: NlbsNicProv
    Namespace: Root\microsoftnlb
message: A provider, NlbsNicProv, has been registered in the Windows Management Instrumentation
  namespace Root\microsoftnlb to use the LocalSystem account. This account is privileged
  and the provider may cause a security violation if it does not correctly impersonate
  user requests.

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Windows Management Instrumentation (WMI) Service is starting to restore the WMI repository

Message

The Windows Management Instrumentation Service has recovered from the following backup repository: %1.

Fields

Message

The Windows Management Instrumentation (WMI) Service is starting the backup operation for the WMI repository and is copying data to the following file: %1

Fields

Message

The Windows Management Instrumentation repository backup operation completed copying data to %1 with error %2.

Fields

Message

The Windows Management Instrumentation (WMI) service detected an inconsistency with the WMI repository in the following directory: %windir%\system32\wbem\repository. The WMI service was not able to recover the repository.  The WMI repository will now be deleted and a new repository will be created based on the auto-recovery mechanism.

Message

The Windows Management Instrumentation Service failed to load the repository files under the directory %windir%\system32\wbem\repository.  This can be caused by a corruption in the repository files, security settings on this directory, lack of disk space, or other system resource issues like lack of memory.  If this error happens every time the machine is rebooted then the administrator on this machine may need to stop WMI Service, review the security setting on this folder and files under this folder, and run WMIDiag to validate the health of Windows Management Instrumentation

Message

The Windows Management Instrumentation service detected an inconsistency in the following backup file: %1.

Fields

Message

The Windows Management Instrumentation service encountered the error %1 and was not able to restore from the following backup repository: %2.

Fields

Message

The %1 namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.

Fields

Message

Windows Management Instrumentation Service could not deliver results asynchronously for %1 namespace.  The namespace is marked with RequiresEncryption but WinMgmt could not establish a secure connection back to the client computer.  Ensure there is a trust relationship between the client and server computers so that the client recognizes the server computer account.

Fields

Message

The Windows Management Instrumentation service has detected an inconsistent system shutdown.

Message

Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: %1  Value: %2 Maximum value: %3 WMIPRVSE PID: %4 Providers hosted in this process: %5

Fields

Message

During the service startup, the Windows Management Instrumentation service was unable to locate the repository files. A new repository will be created based on the auto-recovery mechanism.

Message

Windows Management Instrumentation Service started sucessfully

Example Event

system:
  provider: Microsoft-Windows-WMI
  guid: 1EDEEE53-0AFE-4609-B846-D8C0B2075B1F
  event_source_name: ''
  event_id: 5615
  version: 2
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:43.964888+00:00'
  event_record_id: 1440
  correlation: {}
  execution:
    process_id: 3788
    thread_id: 3880
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: Windows Management Instrumentation Service started sucessfully

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

The Windows Management Instrumentation (WMI) repository was successfully re-created by the auto-recovery mechanism.

Message

Windows Management Instrumentation Service subsystems initialized successfully

Example Event

system:
  provider: Microsoft-Windows-WMI
  guid: 1EDEEE53-0AFE-4609-B846-D8C0B2075B1F
  event_source_name: ''
  event_id: 5617
  version: 2
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:45.613226+00:00'
  event_record_id: 1441
  correlation: {}
  execution:
    process_id: 3788
    thread_id: 3564
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: Windows Management Instrumentation Service subsystems initialized successfully

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

WMI interop namespace class "%1" has been overwritten. Some of the Interop scenarios might not work properly. Please issue following commands from elevated command prompt to restore the behavior."mofcomp %windir%\system32\wbem\interop.mof" and similarly mofcomp all the interop.mfl under %windir%\system32\wbem and its subdirectories.

Fields

Message

The Windows Management Instrumentation (WMI) service detected an inconsistency with the WMI repository in the following directory: %windir%\system32\wbem\repository. The WMI service was not able to recover the repository.  The WMI repository will now be deleted and a new repository will be created based on the auto-recovery mechanism.

Message

A provider, %1, has been registered in the Windows Management Instrumentation namespace %2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Message

Error %1 encountered when trying to load MOF %2 while recovering .MOF file marked with autorecover.

Message

Event filter with query "%2" could not be reactivated in namespace "%1" because of error %3. Events cannot be delivered through this filter until the problem is corrected.

Message

Event provider %1 attempted to register a syntactically invalid query "%2". The query will be ignored. The query can be corrected by examining the WMI repository with CIM studio and updating the permanent subscriptions for the listed provider and query. If the permanent subscription is created with MOF file coming with an installed product, the application vendor must be contacted to correct the faulty registration.

Message

Event provider %1 attempted to register an intrinsic event query "%2" in %3 namespace for which the set of target object classes could not be determined. The query will be ignored.

Message

Event provider %1 attempted to register query "%2" in %3 namespace which is too broad.  Event providers cannot provide events that are provided by the system. The query will be ignored. Contact the application vendor.

Message

Event provider %1 attempted to register query "%2" whose target class "%3" in %4 namespace does not exist. The query will be ignored.

Message

Event provider %1 attempted to register query "%2" whose target class "%3" is not an event class. The query will be ignored. Contact the application vendor.

Message

Failed to Initialize WMI Core or Provider SubSystem or Event SubSystem with error number %1. This could be due to a badly installed version of WMI, WMI repository upgrade failure, insufficient disk space or insufficient memory.

Message

Error number %1 was returned in trying to initialize Windows Management Instrumentation Service. This could be due to a badly installed version of WMI, WMI repository upgrade failure, insufficient disk space or insufficient memory.

Message

Windows Management Instrumentation ADAP failed to connect to namespace %1 with the following error %2

Message

Windows Management Instrumentation ADAP was unable to save object %1 in namespace %2 because of the following error %3

Message

Windows Management Instrumentation ADAP was unable to create the Win32_Perf base class in %1:Result=%2

Message

Windows Management Instrumentation ADAP was unable to create the Win32_PerfRawData base class %1

Message

Windows Management Instrumentation (WMI) Service is starting to restore the WMI repository

Message

The Windows Management Instrumentation Service has recovered from the following backup repository: %1.

Message

The Windows Management Instrumentation (WMI) Service is starting the backup operation for the WMI repository and is copying data to the following file: %1

Message

The Windows Management Instrumentation repository backup operation completed copying data to %1 with error %2.

Message

The Windows Management Instrumentation Service failed to load the repository files under the directory %windir%\system32\wbem\repository.  This can be caused by a corruption in the repository files, security settings on this directory, lack of disk space, or other system resource issues like lack of memory.  If this error happens every time the machine is rebooted then the administrator on this machine may need to stop WMI Service, review the security setting on this folder and files under this folder, and run WMIDiag to validate the health of Windows Management Instrumentation

Message

The Windows Management Instrumentation service detected an inconsistency in the following backup file: %1.

Message

The Windows Management Instrumentation service encountered the error %2 and was not able to restore from the following backup repository: %1.

Message

The %1 namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.

Message

Windows Management Instrumentation Service could not deliver results asynchronously for %1 namespace.  The namespace is marked with RequiresEncryption but WinMgmt could not establish a secure connection back to the client computer.  Ensure there is a trust relationship between the client and server computers so that the client recognizes the server computer account.

Message

The Windows Management Instrumentation service has detected an inconsistent system shutdown.

Message

Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: %1  Value: %2 Maximum value: %3 WMIPRVSE PID: %4 Providers hosted in this process: %5

Message

During the service startup, the Windows Management Instrumentation service was unable to locate the repository files. A new repository will be created based on the auto-recovery mechanism.

Message

Windows Management Instrumentation Service started sucessfully

Message

The Windows Management Instrumentation (WMI) repository was successfully re-created by the auto-recovery mechanism.

Message

Windows Management Instrumentation Service subsystems initialized successfully

Message

WMI interop namespace class "%1" has been overwritten. Some of the Interop scenarios might not work properly. Please issue following commands from elevated command prompt to restore the behavior."mofcomp %windir%\system32\wbem\interop.mof" and similarly mofcomp all the interop.mfl under %windir%\system32\wbem and its subdirectories.