NXLog Docs

Windows Management Instrumentation (WMI)

The Windows Management Instrumentation (WMI) system is an implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM) standards. It provides an infrastructure for managing remote systems and providing management data. For more information about WMI, see Windows Management Instrumentation on Microsoft Docs.

WMI event logging uses Event Tracing for Windows (ETW). These logs can be collected via Windows Event Log or ETW. For Windows versions prior to Windows Vista and Windows Server 2008, it is also possible to read from WMI log files.

Reading WMI events from the Windows Event Log

WMI logs events to Microsoft-Windows-WMI-Activity/Operational in the Windows Event Log, including these event IDs:

  • Event ID 5857: Operation_StartedOperational

  • Event ID 5858: Operation_ClientFailure

  • Event ID 5859: Operation_EssStarted

  • Event ID 5860: Operation_TemporaryEssStarted

  • Event ID 5861: Operation_ESStoConsumerBinding

Example 1. Collecting WMI logs with im_msvistalog

The following configuration will collect and parse these events from Microsoft-Windows-WMI-Activity/Operational using the im_msvistalog module. The xm_xml module is used to further parse the XML data in the $UserData field.

nxlog.conf
<Extension _xml>
    Module  xm_xml
</Extension>

<Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-WMI-Activity/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    Exec    if $UserData parse_xml($UserData);
</Input>
Output sample
{
  "EventTime": "2019-02-24T21:19:36.603548+01:00",
  "Hostname": "Host.DOMAIN.local",
  "Keywords": "4611686018427387904",
  "EventType": "ERROR",
  "SeverityValue": 4,
  "Severity": "ERROR",
  "EventID": 5858,
  "SourceName": "Microsoft-Windows-WMI-Activity",
  "ProviderGuid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
  "Version": 0,
  "TaskValue": 0,
  "OpcodeValue": 0,
  "RecordNumber": 7314,
  "ActivityID": "{3459A8FD-CC70-0000-47C6-593470CCD401}",
  "ExecutionProcessID": 1020,
  "ExecutionThreadID": 8840,
  "Channel": "Microsoft-Windows-WMI-Activity/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "Message": "Id = {3459A8FD-CC70-0000-47C6-593470CCD401}; ClientMachine = HOST; User = NT AUTHORITY\\SYSTEM; ClientProcessId = 3640; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\\cimv2 : Select * from Win32_Service Where Name = 'MpsSvc'; ResultCode = 0x80041032; PossibleCause = Unknown",
  "Opcode": "Info",
  "UserData": "<Operation_ClientFailure xmlns='http://manifests.microsoft.com/win/2006/windows/WMI'><Id>{3459A8FD-CC70-0000-47C6-593470CCD401}</Id><ClientMachine>HOST</ClientMachine><User>NT AUTHORITY\\SYSTEM</User><ClientProcessId>3640</ClientProcessId><Component>Unknown</Component><Operation>Start IWbemServices::ExecQuery - root\\cimv2 : Select * from Win32_Service Where Name = 'MpsSvc'</Operation><ResultCode>0x80041032</ResultCode><PossibleCause>Unknown</PossibleCause></Operation_ClientFailure>",
  "EventReceivedTime": "2019-02-24T21:19:38.104568+01:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_msvistalog",
  "Operation_ClientFailure.Id": "{3459A8FD-CC70-0000-47C6-593470CCD401}",
  "Operation_ClientFailure.ClientMachine": "HOST",
  "Operation_ClientFailure.User": "NT AUTHORITY\\SYSTEM",
  "Operation_ClientFailure.ClientProcessId": "3640",
  "Operation_ClientFailure.Component": "Unknown",
  "Operation_ClientFailure.Operation": "Start IWbemServices::ExecQuery - root\\cimv2 : Select * from Win32_Service Where Name = 'MpsSvc'",
  "Operation_ClientFailure.ResultCode": "0x80041032",
  "Operation_ClientFailure.PossibleCause": "Unknown"
}

Reading WMI events via ETW

WMI events can also be collected via ETW directly. Note that WMI tracing is not enabled by default—see Tracing WMI Activity on Microsoft Docs.

Example 2. Collecting WMI logs with im_etw

The following configuration uses the im_etw module to collect ETW logs from the Microsoft-Windows-WMI-Activity provider.

nxlog.conf
<Input etw_in>
    Module      im_etw
    Provider    Microsoft-Windows-WMI-Activity
</Input>
Output sample
{
  "SourceName": "Microsoft-Windows-WMI-Activity",
  "ProviderGuid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
  "EventID": 100,
  "Version": 0,
  "Channel": 18,
  "OpcodeValue": 0,
  "TaskValue": 0,
  "Keywords": "2305843009213693952",
  "EventTime": "2019-03-04T19:48:48.842576+01:00",
  "ExecutionProcessID": 1500,
  "ExecutionThreadID": 8104,
  "ActivityID": "{AF4CFCDC-66C1-4A9A-B7D7-13ECD1AAE01A}",
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "ComponentName": "MI_Client",
  "MessageDetail": "Operation Enumerate Instances: session=0000008F1C752638, operation=0000008F1D03DCF0, internal-operation=0000008F1D63ED90, namespace=root\\Microsoft\\Windows\\Storage\\SM, classname=MSFT_SMStorageVolume",
  "FileName": "admin\\wmi\\wmiv2\\client\\api\\operation.c:2008",
  "EventReceivedTime": "2019-03-04T19:48:49.888767+01:00",
  "SourceModuleName": "etw_in",
  "SourceModuleType": "im_etw"
}

Reading from WMI log files

There are three WMI provider log files available on Windows versions prior to Windows Vista and Windows Server 2008. These files are normally located in %systemroot%\system32\wbem\logs. For more information, see WMI Provider Log Files on Microsoft Docs.

These log files can be configured by modifying the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging value. Set it to 1 for error logging or 2 for verbose logging. For more details about configuring the WMI log files, see Logging WMI Activity.

Example 3. Collecting and parsing WMI Provider log files

This configuration collects and parses events from the three WMI log files.

nxlog.conf
<Input in>
    Module  im_file
    File    'C:\WINDOWS\system32\wbem\Logs\wmiprov.log'
    File    'C:\WINDOWS\system32\wbem\Logs\ntevt.log'
    File    'C:\WINDOWS\system32\wbem\Logs\dsprovider.log'
    <Exec>
        file_name() =~ /(?<Filename>[^\\]+)$/;
        if $raw_event =~ /^\((?<EventTime>.+)\.\d{7}\) : (?<Message>.+)$/
            $EventTime = strptime($EventTime, "%a %b %d %H:%M:%S %Y");
    </Exec>
</Input>
Output sample (wmiprov.log)
{
  "EventReceivedTime": "2019-03-12T18:32:16.296875+01:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_file",
  "Filename": "wmiprov.log",
  "EventTime": "2019-03-12T18:32:16.000000+01:00",
  "Message": "C:\\WINDOWS\\system32\\DRIVERS\\bthpan.sys[NdisMofResource]"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

Last revision: 12 March 2019