I see two instances of wmi running all the time, there's also one that says server and another that says reverse something but these do not run long. Below are both the general information and the details on this event.
Namespace = //./root/subscription; Eventfilter = SCM Event Log Filter (refer to its activate eventid:5859); Consumer = NTEventLogEventConsumer="SCM Event Log Consumer"; PossibleCause = Binding EventFilter:
instance of __EventFilter
{
CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};
EventNamespace = "root\\cimv2";
Name = "SCM Event Log Filter";
Query = "select * from MSFT_SCMEventLogEvent";
QueryLanguage = "WQL";
};
Perm. Consumer:
instance of NTEventLogEventConsumer
{
Category = 0;
CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};
EventType = 1;
Name = "SCM Event Log Consumer";
NameOfUserSIDProperty = "sid";
SourceName = "Service Control Manager";
};
System
- Provider
[ Name] Microsoft-Windows-WMI-Activity
[ Guid] {1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}
EventID 5861
Version 0
Level 0
Task 0
Opcode 0
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2017-09-23T07:20:08.309942800Z
EventRecordID 7613
Correlation
- Execution
[ ProcessID] 4520
[ ThreadID] 720
Channel Microsoft-Windows-WMI-Activity/Operational
Computer DESKTOP-L2LHDAJ
- Security
[ UserID] S-1-5-18
- UserData
- Operation_ESStoConsumerBinding
Namespace //./root/subscription
ESS SCM Event Log Filter
CONSUMER NTEventLogEventConsumer="SCM Event Log Consumer"
PossibleCause Binding EventFilter: instance of __EventFilter { CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventNamespace = "root\\cimv2"; Name = "SCM Event Log Filter"; Query = "select * from MSFT_SCMEventLogEvent"; QueryLanguage = "WQL"; }; Perm. Consumer: instance of NTEventLogEventConsumer { Category = 0; CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventType = 1; Name = "SCM Event Log Consumer"; NameOfUserSIDProperty = "sid"; SourceName = "Service Control Manager"; };
Namespace = //./root/subscription; Eventfilter = SCM Event Log Filter (refer to its activate eventid:5859); Consumer = NTEventLogEventConsumer="SCM Event Log Consumer"; PossibleCause = Binding EventFilter:
instance of __EventFilter
{
CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};
EventNamespace = "root\\cimv2";
Name = "SCM Event Log Filter";
Query = "select * from MSFT_SCMEventLogEvent";
QueryLanguage = "WQL";
};
Perm. Consumer:
instance of NTEventLogEventConsumer
{
Category = 0;
CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};
EventType = 1;
Name = "SCM Event Log Consumer";
NameOfUserSIDProperty = "sid";
SourceName = "Service Control Manager";
};
System
- Provider
[ Name] Microsoft-Windows-WMI-Activity
[ Guid] {1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}
EventID 5861
Version 0
Level 0
Task 0
Opcode 0
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2017-09-23T07:20:08.309942800Z
EventRecordID 7613
Correlation
- Execution
[ ProcessID] 4520
[ ThreadID] 720
Channel Microsoft-Windows-WMI-Activity/Operational
Computer DESKTOP-L2LHDAJ
- Security
[ UserID] S-1-5-18
- UserData
- Operation_ESStoConsumerBinding
Namespace //./root/subscription
ESS SCM Event Log Filter
CONSUMER NTEventLogEventConsumer="SCM Event Log Consumer"
PossibleCause Binding EventFilter: instance of __EventFilter { CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventNamespace = "root\\cimv2"; Name = "SCM Event Log Filter"; Query = "select * from MSFT_SCMEventLogEvent"; QueryLanguage = "WQL"; }; Perm. Consumer: instance of NTEventLogEventConsumer { Category = 0; CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventType = 1; Name = "SCM Event Log Consumer"; NameOfUserSIDProperty = "sid"; SourceName = "Service Control Manager"; };
Facebook
Twitter
Instagram