none
WMI activity Event ID 5861 RRS feed

  • Question

  • Posted this on Microsoft answers they referred me here so here goes....


    Opened the WMI-Activity%4Operational log and found thousands of this one event. I do not have the event on the laptop just the desktop. Operating system Windows 10 PRO. WMI runs all of the time with at least 2 instances open then there's server one that runs and that reverse thing that also runs. Below I have pasted both general and details hopefully someone can tell me what this is?

    Namespace = //./root/subscription; Eventfilter = SCM Event Log Filter (refer to its activate eventid:5859); Consumer = NTEventLogEventConsumer="SCM Event Log Consumer"; PossibleCause = Binding EventFilter:
    instance of __EventFilter
    {
        CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};
        EventNamespace = "root\\cimv2";
        Name = "SCM Event Log Filter";
        Query = "select * from MSFT_SCMEventLogEvent";
        QueryLanguage = "WQL";
    };
    Perm. Consumer:
    instance of NTEventLogEventConsumer
    {
        Category = 0;
        CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};
        EventType = 1;
        Name = "SCM Event Log Consumer";
        NameOfUserSIDProperty = "sid";
        SourceName = "Service Control Manager";
    };


    System

      - Provider

       [ Name]  Microsoft-Windows-WMI-Activity
       [ Guid]  {1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}
     
       EventID 5861
     
       Version 0
     
       Level 0
     
       Task 0
     
       Opcode 0
     
       Keywords 0x4000000000000000
     
      - TimeCreated

       [ SystemTime]  2017-09-23T07:20:08.309942800Z
     
       EventRecordID 7613
     
       Correlation
     
      - Execution

       [ ProcessID]  4520
       [ ThreadID]  720
     
       Channel Microsoft-Windows-WMI-Activity/Operational
     
       Computer DESKTOP-L2LHDAJ
     
      - Security

       [ UserID]  S-1-5-18
     

    - UserData

      - Operation_ESStoConsumerBinding

       Namespace //./root/subscription
     
       ESS SCM Event Log Filter
     
       CONSUMER NTEventLogEventConsumer="SCM Event Log Consumer"
     
       PossibleCause Binding EventFilter: instance of __EventFilter { CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventNamespace = "root\\cimv2"; Name = "SCM Event Log Filter"; Query = "select * from MSFT_SCMEventLogEvent"; QueryLanguage = "WQL"; }; Perm. Consumer: instance of NTEventLogEventConsumer { Category = 0; CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventType = 1; Name = "SCM Event Log Consumer"; NameOfUserSIDProperty = "sid"; SourceName = "Service Control Manager"; }; 

    Saturday, September 23, 2017 7:20 PM

All replies

  • Please upload the whole WMI-Activity%4Operational.evtx file onto Network drive and share for us.


    Best Regards, StarSprite

    Tuesday, October 3, 2017 6:17 AM