Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, March 4, 2019 4:09 AM
Hi, I have 4 repeating events related to Remote Desktop in my Event Viewer. Other people are having this issue, as well, and Microsoft has advised to seek help on this forum, as it's "too advanced" for the general help forum.
On my machine, I am not using Remote Desktop, and no one else should have access. (Looks like it's meant to be possible to remote out, but not in. I don't need to remote to anywhere.)
These are the events (my machine name is replaced with ***):
1)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:41 PM
Event ID: 145
Task Category: WSMan API call
Level: Information
Keywords: Client
User: SYSTEM
Computer: ***
Description:
WSMan operation Enumeration started with resourceUri http://schemas.microsoft.com/wbem/wsman/1/config/listener
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>145</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>1</Opcode>
<Keywords>0x4000000000000002</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:41.505795000Z" />
<EventRecordID>861</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0002-cf3e-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="1152" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="operationName">Enumeration</Data>
<Data Name="resourceUri">http://schemas.microsoft.com/wbem/wsman/1/config/listener</Data>
</EventData>
</Event>
2)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:43 PM
Event ID: 142
Task Category: Response handling
Level: Error
Keywords: Client
User: SYSTEM
Computer: ***
Description:
WSMan operation Enumeration failed, error code 2150858770
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>142</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>10</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000002</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:43.600727900Z" />
<EventRecordID>864</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0002-cf3e-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="5796" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="operationName">Enumeration</Data>
<Data Name="errorCode">2150858770</Data>
</EventData>
</Event>
3)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:43 PM
Event ID: 161
Task Category: User authentication
Level: Error
Keywords: Security,Client
User: SYSTEM
Computer: ***
Description:
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>161</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x400000000000000a</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:43.598161100Z" />
<EventRecordID>863</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0001-553f-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="5796" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="authFailureMessage">The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".</Data>
</EventData>
</Event>
4)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:43 PM
Event ID: 254
Task Category: None
Level: Information
Keywords: Activity Transfer,Server,Client
User: SYSTEM
Computer: ***
Description:
Activity Transfer
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>254</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000026</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:43.598158500Z" />
<EventRecordID>862</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0001-553f-27ddb9d0d401}" RelatedActivityID="{dd2731b8-d0b9-0002-cf3e-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="5796" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
</EventData>
</Event>
What story are these events telling? Is there something that could be shut off if not in use?
Here are other threads by other users:
https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/windows-10-remote-management-events/188fb37f-2ddb-4f71-945c-c0d015e4800f (user advised to post over here)
https://answers.microsoft.com/en-us/windows/forum/windows_10-security/windows-10-windows-remote-management-event-ids-142/e7e95eb0-d4d0-4c56-b71c-1c7a09cd1492 (user advised to post over here)
https://www.tenforums.com/general-support/69175-whats-winrm.html (user advised that some sort of tool may be making calls, but Microsoft forums appear to be useless; they link to the above post)
Thanks.
All replies (3)
Monday, March 4, 2019 6:41 AM
Hi,
Thanks for your post in our forum.
As I know, many users have these 4 events on their computers. And, what issue do you have(not including these 4 events)? For example, some RDP issues caused by these for events?
So far, I have not found a solution to these events, I will continue to test and research. If there are any update or workaround, I will reply to you as soon as possible.
And, if the events did not affect your environment, we could ignore them temporarily.
Or try to update/upgrade the windows version to see if it helps.
Hope the above information can help you.
Thanks again for your understanding and support.
Best Regards,
Otto
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, March 6, 2019 6:43 AM
Hi,
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
Best Regards,
Otto Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 8, 2019 1:52 AM
Hi,
Was your issue resolved?
If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.
Best Regards,
Otto Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].