Event ID 5857 — Operation_StartedOperational.ProviderName provider started with result code Operation_StartedOperational.Code.

Provider: Microsoft-Windows-WMI-Activity
Channel: Operational
Collection Priority: Recommended (Palantir, others)

Description

Operation_StartedOperational.ProviderName provider started with result code Operation_StartedOperational.Code. HostProcess = Operation_StartedOperational.HostProcess; ProcessID = Operation_StartedOperational.ProcessID; ProviderPath = Operation_StartedOperational.ProviderPath.

Message #

%1 provider started with result code %2. HostProcess = %3; ProcessID = %4; ProviderPath = %5

Fields #

Name	Description
`Operation_StartedOperational.ProviderName`	—
`Operation_StartedOperational.Code`	—
`Operation_StartedOperational.HostProcess`	—
`Operation_StartedOperational.ProcessID`	—
`Operation_StartedOperational.ProviderPath`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WMI-Activity",
    "guid": "1418EF04-B0B4-4623-BF7E-D74AB47BBDAA",
    "event_source_name": "",
    "event_id": 5857,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T01:54:48.665106+00:00",
    "event_record_id": 2401,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0003-A64E-DBE43710DA01"
    },
    "execution": {
      "process_id": 4404,
      "thread_id": 14236
    },
    "channel": "Microsoft-Windows-WMI-Activity/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "user_data": {
    "Operation_StartedOperational": {
      "ProviderName": "netnat",
      "Code": "0x0",
      "HostProcess": "wmiprvse.exe",
      "ProcessID": 4404,
      "ProviderPath": "%systemroot%\\system32\\wbem\\NetNat.dll"
    }
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
Example event sourced from https://github.com/NextronSystems/evtx-baseline