Description

Error Error encountered when trying to load MOF MOF while recovering .MOF file marked with autorecover.

Message #

Error %1 encountered when trying to load MOF %2 while recovering .MOF file marked with autorecover.

Fields #

Description

Event filter with query "Query" could not be reactivated in namespace "Namespace" because of error Error. Events cannot be delivered through this filter until the problem is corrected.

Message #

Event filter with query "%1" could not be reactivated in namespace "%2" because of error %3. Events cannot be delivered through this filter until the problem is corrected.

Fields #

Message #

Event provider %1 attempted to register a syntactically invalid query "%2". The query will be ignored. The query can be corrected by examining the WMI repository with CIM studio and updating the permanent subscriptions for the listed provider and query. If the permanent subscription is created with MOF file coming with an installed product, the application vendor must be contacted to correct the faulty registration.

Fields #

Description

Event provider EventProvider attempted to register an intrinsic event query "Query" in Namespace namespace for which the set of target object classes could not be determined. The query will be ignored.

Message #

Event provider %1 attempted to register an intrinsic event query "%2" in %3 namespace for which the set of target object classes could not be determined. The query will be ignored.

Fields #

Message #

Event provider %1 attempted to register query "%2" in %3 namespace which is too broad.  Event providers cannot provide events that are provided by the system. The query will be ignored. Contact the application vendor.

Fields #

Description

Event provider EventProvider attempted to register query "Query" whose target class "Class" in Namespace namespace does not exist. The query will be ignored.

Message #

Event provider %1 attempted to register query "%2" whose target class "%3" in %4 namespace does not exist. The query will be ignored.

Fields #

Description

Event provider EventProvider attempted to register query "Query" whose target class "Class" is not an event class. The query will be ignored. Contact the application vendor.

Message #

Event provider %1 attempted to register query "%2" whose target class "%3" is not an event class. The query will be ignored. Contact the application vendor.

Fields #

Message #

Failed to Initialize WMI Core or Provider SubSystem or Event SubSystem with error number %1. This could be due to a badly installed version of WMI, WMI repository upgrade failure, insufficient disk space or insufficient memory. WMI will try to re-create the WMI Repository by auto-recovery mechanism on its next restart.

Fields #

Message #

Error number %1 was returned in trying to initialize Windows Management Instrumentation Service. This could be due to a badly installed version of WMI, WMI repository upgrade failure, insufficient disk space or insufficient memory.

Fields #

Description

Windows Management Instrumentation ADAP failed to connect to namespace Namespace with the following error Error.

Message #

Windows Management Instrumentation ADAP failed to connect to namespace %1 with the following error %2

Fields #

Description

Windows Management Instrumentation ADAP was unable to save object Object in namespace Namespace because of the following error Error.

Message #

Windows Management Instrumentation ADAP was unable to save object %1 in namespace %2 because of the following error %3

Fields #

Description

Windows Management Instrumentation ADAP was unable to create the Win32_Perf base class in Class:Result=Result.

Message #

Windows Management Instrumentation ADAP was unable to create the Win32_Perf base class in %1:Result=%2

Fields #

Description

Windows Management Instrumentation ADAP was unable to create the Win32_PerfRawData base class Class.

Message #

Windows Management Instrumentation ADAP was unable to create the Win32_PerfRawData base class %1

Fields #

Message #

A provider, %1, has been registered in the Windows Management Instrumentation namespace %2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WMI",
    "guid": "1EDEEE53-0AFE-4609-B846-D8C0B2075B1F",
    "event_source_name": "",
    "event_id": 63,
    "version": 2,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-04T11:12:30.841914+00:00",
    "event_record_id": 181,
    "correlation": {},
    "execution": {
      "process_id": 1136,
      "thread_id": 2060
    },
    "channel": "Application",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "data_0x8000003F": {
      "Provider": "NlbsNicProv",
      "Namespace": "Root\\microsoftnlb"
    }
  },
  "message": "A provider, NlbsNicProv, has been registered in the Windows Management Instrumentation namespace Root\\microsoftnlb to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests."
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Windows Management Instrumentation (WMI) Service is starting to restore the WMI repository.

Message #

Windows Management Instrumentation (WMI) Service is starting to restore the WMI repository

Description

The Windows Management Instrumentation Service has recovered from the following backup repository: BackupRepository.

Message #

The Windows Management Instrumentation Service has recovered from the following backup repository: %1.

Fields #

Description

The Windows Management Instrumentation (WMI) Service is starting the backup operation for the WMI repository and is copying data to the following file: BackupFile.

Message #

The Windows Management Instrumentation (WMI) Service is starting the backup operation for the WMI repository and is copying data to the following file: %1

Fields #

Description

The Windows Management Instrumentation repository backup operation completed copying data to BackupFile with error Error.

Message #

The Windows Management Instrumentation repository backup operation completed copying data to %1 with error %2.

Fields #

Message #

The Windows Management Instrumentation (WMI) service detected an inconsistency with the WMI repository in the following directory: %windir%\system32\wbem\repository. The WMI service was not able to recover the repository.  The WMI repository will now be deleted and a new repository will be created based on the auto-recovery mechanism.

Message #

The Windows Management Instrumentation Service failed to load the repository files under the directory %windir%\system32\wbem\repository.  This can be caused by a corruption in the repository files, security settings on this directory, lack of disk space, or other system resource issues like lack of memory.  If this error happens every time the machine is rebooted then the administrator on this machine may need to stop WMI Service, review the security setting on this folder and files under this folder, and run WMIDiag to validate the health of Windows Management Instrumentation

Description

The Windows Management Instrumentation service detected an inconsistency in the following backup file: BackupFile.

Message #

The Windows Management Instrumentation service detected an inconsistency in the following backup file: %1.

Fields #

Description

The Windows Management Instrumentation service encountered the error Error and was not able to restore from the following backup repository: BackupRepository.

Message #

The Windows Management Instrumentation service encountered the error %1 and was not able to restore from the following backup repository: %2.

Fields #

Message #

The %1 namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.

Fields #

Message #

Windows Management Instrumentation Service could not deliver results asynchronously for %1 namespace.  The namespace is marked with RequiresEncryption but WinMgmt could not establish a secure connection back to the client computer.  Ensure there is a trust relationship between the client and server computers so that the client recognizes the server computer account.

Fields #

Description

The Windows Management Instrumentation service has detected an inconsistent system shutdown.

Message #

The Windows Management Instrumentation service has detected an inconsistent system shutdown.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WMI",
    "guid": "1EDEEE53-0AFE-4609-B846-D8C0B2075B1F",
    "event_source_name": "",
    "event_id": 5611,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T00:02:46.971764+00:00",
    "event_record_id": 4411,
    "correlation": {},
    "execution": {
      "process_id": 4020,
      "thread_id": 4688
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Description

Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: QuotaName Value: QuotaValue Maximum value: QuotaThreshold WMIPRVSE PID: HostProcessID Providers hosted in this process: ProvidersInHost.

Message #

Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: %1  Value: %2 Maximum value: %3 WMIPRVSE PID: %4 Providers hosted in this process: %5

Fields #

Description

During the service startup, the Windows Management Instrumentation service was unable to locate the repository files. A new repository will be created based on the auto-recovery mechanism.

Message #

During the service startup, the Windows Management Instrumentation service was unable to locate the repository files. A new repository will be created based on the auto-recovery mechanism.

Description

Windows Management Instrumentation Service started sucessfully.

Message #

Windows Management Instrumentation Service started sucessfully

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WMI",
    "guid": "1EDEEE53-0AFE-4609-B846-D8C0B2075B1F",
    "event_source_name": "",
    "event_id": 5615,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:43.964888+00:00",
    "event_record_id": 1440,
    "correlation": {},
    "execution": {
      "process_id": 3788,
      "thread_id": 3880
    },
    "channel": "Application",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "Windows Management Instrumentation Service started sucessfully"
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Description

The Windows Management Instrumentation (WMI) repository was successfully re-created by the auto-recovery mechanism.

Message #

The Windows Management Instrumentation (WMI) repository was successfully re-created by the auto-recovery mechanism.

Description

Windows Management Instrumentation Service subsystems initialized successfully.

Message #

Windows Management Instrumentation Service subsystems initialized successfully

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WMI",
    "guid": "1EDEEE53-0AFE-4609-B846-D8C0B2075B1F",
    "event_source_name": "",
    "event_id": 5617,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:45.613226+00:00",
    "event_record_id": 1441,
    "correlation": {},
    "execution": {
      "process_id": 3788,
      "thread_id": 3564
    },
    "channel": "Application",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "Windows Management Instrumentation Service subsystems initialized successfully"
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message #

WMI interop namespace class "%1" has been overwritten. Some of the Interop scenarios might not work properly. Please issue following commands from elevated command prompt to restore the behavior."mofcomp %windir%\system32\wbem\interop.mof" and similarly mofcomp all the interop.mfl under %windir%\system32\wbem and its subdirectories.

Fields #

Message #

The Windows Management Instrumentation (WMI) service detected an inconsistency with the WMI repository in the following directory: %windir%\system32\wbem\repository. The WMI service was not able to recover the repository.  The WMI repository will now be deleted and a new repository will be created based on the auto-recovery mechanism.

Message #

A provider, %1, has been registered in the Windows Management Instrumentation namespace %2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Description

Error encountered when trying to load MOF while recovering .MOF file marked with autorecover.

Message #

Error %1 encountered when trying to load MOF %2 while recovering .MOF file marked with autorecover.

Description

Event filter with query "%2" could not be reactivated in namespace "%1" because of error %3. Events cannot be delivered through this filter until the problem is corrected.

Message #

Event filter with query "%2" could not be reactivated in namespace "%1" because of error %3. Events cannot be delivered through this filter until the problem is corrected.

Message #

Event provider %1 attempted to register a syntactically invalid query "%2". The query will be ignored. The query can be corrected by examining the WMI repository with CIM studio and updating the permanent subscriptions for the listed provider and query. If the permanent subscription is created with MOF file coming with an installed product, the application vendor must be contacted to correct the faulty registration.

Description

Event provider %1 attempted to register an intrinsic event query "%2" in %3 namespace for which the set of target object classes could not be determined. The query will be ignored.

Message #

Event provider %1 attempted to register an intrinsic event query "%2" in %3 namespace for which the set of target object classes could not be determined. The query will be ignored.

Message #

Event provider %1 attempted to register query "%2" in %3 namespace which is too broad.  Event providers cannot provide events that are provided by the system. The query will be ignored. Contact the application vendor.

Description

Event provider %1 attempted to register query "%2" whose target class "%3" in %4 namespace does not exist. The query will be ignored.

Message #

Event provider %1 attempted to register query "%2" whose target class "%3" in %4 namespace does not exist. The query will be ignored.

Description

Event provider %1 attempted to register query "%2" whose target class "%3" is not an event class. The query will be ignored. Contact the application vendor.

Message #

Event provider %1 attempted to register query "%2" whose target class "%3" is not an event class. The query will be ignored. Contact the application vendor.

Message #

Failed to Initialize WMI Core or Provider SubSystem or Event SubSystem with error number %1. This could be due to a badly installed version of WMI, WMI repository upgrade failure, insufficient disk space or insufficient memory.

Message #

Error number %1 was returned in trying to initialize Windows Management Instrumentation Service. This could be due to a badly installed version of WMI, WMI repository upgrade failure, insufficient disk space or insufficient memory.

Description

Windows Management Instrumentation ADAP failed to connect to namespace with the following error.

Message #

Windows Management Instrumentation ADAP failed to connect to namespace %1 with the following error %2

Description

Windows Management Instrumentation ADAP was unable to save object in namespace because of the following error.

Message #

Windows Management Instrumentation ADAP was unable to save object %1 in namespace %2 because of the following error %3

Description

Windows Management Instrumentation ADAP was unable to create the Win32_Perf base class in :Result=.

Message #

Windows Management Instrumentation ADAP was unable to create the Win32_Perf base class in %1:Result=%2

Description

Windows Management Instrumentation ADAP was unable to create the Win32_PerfRawData base class.

Message #

Windows Management Instrumentation ADAP was unable to create the Win32_PerfRawData base class %1

Description

Windows Management Instrumentation (WMI) Service is starting to restore the WMI repository.

Message #

Windows Management Instrumentation (WMI) Service is starting to restore the WMI repository

Description

The Windows Management Instrumentation Service has recovered from the following backup repository: .

Message #

The Windows Management Instrumentation Service has recovered from the following backup repository: %1.

Description

The Windows Management Instrumentation (WMI) Service is starting the backup operation for the WMI repository and is copying data to the following file.

Message #

The Windows Management Instrumentation (WMI) Service is starting the backup operation for the WMI repository and is copying data to the following file: %1

Description

The Windows Management Instrumentation repository backup operation completed copying data to with error .

Message #

The Windows Management Instrumentation repository backup operation completed copying data to %1 with error %2.

Message #

The Windows Management Instrumentation Service failed to load the repository files under the directory %windir%\system32\wbem\repository.  This can be caused by a corruption in the repository files, security settings on this directory, lack of disk space, or other system resource issues like lack of memory.  If this error happens every time the machine is rebooted then the administrator on this machine may need to stop WMI Service, review the security setting on this folder and files under this folder, and run WMIDiag to validate the health of Windows Management Instrumentation

Description

The Windows Management Instrumentation service detected an inconsistency in the following backup file: .

Message #

The Windows Management Instrumentation service detected an inconsistency in the following backup file: %1.

Description

The Windows Management Instrumentation service encountered the error and was not able to restore from the following backup repository: .

Message #

The Windows Management Instrumentation service encountered the error %2 and was not able to restore from the following backup repository: %1.

Message #

The %1 namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.

Message #

Windows Management Instrumentation Service could not deliver results asynchronously for %1 namespace.  The namespace is marked with RequiresEncryption but WinMgmt could not establish a secure connection back to the client computer.  Ensure there is a trust relationship between the client and server computers so that the client recognizes the server computer account.

Description

The Windows Management Instrumentation service has detected an inconsistent system shutdown.

Message #

The Windows Management Instrumentation service has detected an inconsistent system shutdown.

Description

Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: Value: Maximum value: WMIPRVSE PID: Providers hosted in this process.

Message #

Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: %1  Value: %2 Maximum value: %3 WMIPRVSE PID: %4 Providers hosted in this process: %5

Description

During the service startup, the Windows Management Instrumentation service was unable to locate the repository files. A new repository will be created based on the auto-recovery mechanism.

Message #

During the service startup, the Windows Management Instrumentation service was unable to locate the repository files. A new repository will be created based on the auto-recovery mechanism.

Description

Windows Management Instrumentation Service started sucessfully.

Message #

Windows Management Instrumentation Service started sucessfully

Description

The Windows Management Instrumentation (WMI) repository was successfully re-created by the auto-recovery mechanism.

Message #

The Windows Management Instrumentation (WMI) repository was successfully re-created by the auto-recovery mechanism.

Description

Windows Management Instrumentation Service subsystems initialized successfully.

Message #

Windows Management Instrumentation Service subsystems initialized successfully

Message #

WMI interop namespace class "%1" has been overwritten. Some of the Interop scenarios might not work properly. Please issue following commands from elevated command prompt to restore the behavior."mofcomp %windir%\system32\wbem\interop.mof" and similarly mofcomp all the interop.mfl under %windir%\system32\wbem and its subdirectories.