I
Ian.8
Guest
Hi, I have 4 repeating events related to Remote Desktop in my Event Viewer. Other people are having this issue, as well, and Microsoft has advised to seek help on this forum, as it's "too advanced" for the general help forum.
On my machine, I am not using Remote Desktop, and no one else should have access. (Looks like it's meant to be possible to remote out, but not in. I don't need to remote to anywhere.)
These are the events (my machine name is replaced with ***):
1)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:41 PM
Event ID: 145
Task Category: WSMan API call
Level: Information
Keywords: Client
User: SYSTEM
Computer: ***
Description:
WSMan operation Enumeration started with resourceUri http://schemas.microsoft.com/wbem/wsman/1/config/listener
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>145</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>1</Opcode>
<Keywords>0x4000000000000002</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:41.505795000Z" />
<EventRecordID>861</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0002-cf3e-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="1152" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="operationName">Enumeration</Data>
<Data Name="resourceUri">http://schemas.microsoft.com/wbem/wsman/1/config/listener</Data>
</EventData>
</Event>
2)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:43 PM
Event ID: 142
Task Category: Response handling
Level: Error
Keywords: Client
User: SYSTEM
Computer: ***
Description:
WSMan operation Enumeration failed, error code 2150858770
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>142</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>10</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000002</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:43.600727900Z" />
<EventRecordID>864</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0002-cf3e-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="5796" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="operationName">Enumeration</Data>
<Data Name="errorCode">2150858770</Data>
</EventData>
</Event>
3)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:43 PM
Event ID: 161
Task Category: User authentication
Level: Error
Keywords: Security,Client
User: SYSTEM
Computer: ***
Description:
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>161</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x400000000000000a</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:43.598161100Z" />
<EventRecordID>863</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0001-553f-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="5796" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="authFailureMessage">The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".</Data>
</EventData>
</Event>
4)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:43 PM
Event ID: 254
Task Category: None
Level: Information
Keywords: Activity Transfer,Server,Client
User: SYSTEM
Computer: ***
Description:
Activity Transfer
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>254</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000026</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:43.598158500Z" />
<EventRecordID>862</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0001-553f-27ddb9d0d401}" RelatedActivityID="{dd2731b8-d0b9-0002-cf3e-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="5796" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
</EventData>
</Event>
What story are these events telling? Is there something that could be shut off if not in use?
Here are other threads by other users:
Windows 10 Remote Management events (user advised to post over here)
Windows 10 Windows Remote Management Event IDs 142 and 161 (user advised to post over here)
What's WinRM? - Windows 10 Forums (user advised that some sort of tool may be making calls, but Microsoft forums appear to be useless; they link to the above post)
Thanks.
More...
On my machine, I am not using Remote Desktop, and no one else should have access. (Looks like it's meant to be possible to remote out, but not in. I don't need to remote to anywhere.)
These are the events (my machine name is replaced with ***):
1)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:41 PM
Event ID: 145
Task Category: WSMan API call
Level: Information
Keywords: Client
User: SYSTEM
Computer: ***
Description:
WSMan operation Enumeration started with resourceUri http://schemas.microsoft.com/wbem/wsman/1/config/listener
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>145</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>1</Opcode>
<Keywords>0x4000000000000002</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:41.505795000Z" />
<EventRecordID>861</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0002-cf3e-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="1152" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="operationName">Enumeration</Data>
<Data Name="resourceUri">http://schemas.microsoft.com/wbem/wsman/1/config/listener</Data>
</EventData>
</Event>
2)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:43 PM
Event ID: 142
Task Category: Response handling
Level: Error
Keywords: Client
User: SYSTEM
Computer: ***
Description:
WSMan operation Enumeration failed, error code 2150858770
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>142</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>10</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000002</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:43.600727900Z" />
<EventRecordID>864</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0002-cf3e-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="5796" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="operationName">Enumeration</Data>
<Data Name="errorCode">2150858770</Data>
</EventData>
</Event>
3)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:43 PM
Event ID: 161
Task Category: User authentication
Level: Error
Keywords: Security,Client
User: SYSTEM
Computer: ***
Description:
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>161</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x400000000000000a</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:43.598161100Z" />
<EventRecordID>863</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0001-553f-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="5796" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="authFailureMessage">The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".</Data>
</EventData>
</Event>
4)
Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 3/1/2019 9:38:43 PM
Event ID: 254
Task Category: None
Level: Information
Keywords: Activity Transfer,Server,Client
User: SYSTEM
Computer: ***
Description:
Activity Transfer
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>254</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000026</Keywords>
<TimeCreated SystemTime="2019-03-02T05:38:43.598158500Z" />
<EventRecordID>862</EventRecordID>
<Correlation ActivityID="{dd2731b8-d0b9-0001-553f-27ddb9d0d401}" RelatedActivityID="{dd2731b8-d0b9-0002-cf3e-27ddb9d0d401}" />
<Execution ProcessID="1144" ThreadID="5796" />
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>***</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
</EventData>
</Event>
What story are these events telling? Is there something that could be shut off if not in use?
Here are other threads by other users:
Windows 10 Remote Management events (user advised to post over here)
Windows 10 Windows Remote Management Event IDs 142 and 161 (user advised to post over here)
What's WinRM? - Windows 10 Forums (user advised that some sort of tool may be making calls, but Microsoft forums appear to be useless; they link to the above post)
Thanks.
More...