WMI-Activity/Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

WMI is the hidden nervous system of Windows - a powerful management interface designed for administrators to query system state and push commands remotely. Attackers use it to execute code, move laterally and establish persistence without ever dropping an executable to disk. The WMI Activity Operational log is where those actions leave their mark.

Log Channel Microsoft-Windows-WMI-Activity/Operational - written by the WMI service (winmgmt)

Trace Type Execution Persistence Lateral Movement

Req. Audit Policy No Active by default on Windows 7 and later. No additional policy configuration is required.

User Specific No System-wide. Logs WMI activity from all sessions including remote and SYSTEM-context operations.

General

The WMI Activity Operational log records queries, method invocations and, most critically, event consumer registrations. WMI persistence - where an attacker binds a script or executable to a system event via an Event Filter, Binding and Consumer triplet - is one of the stealthiest persistence mechanisms on Windows because it leaves no registry Run key and no scheduled task. The log captures these registrations at the moment they are created, providing a forensic record that the WMI repository itself may not clearly expose. Event ID 5861 is the primary signal and should be treated as a high-priority alert in any environment.

Traces

The most forensically significant Event IDs in the WMI-Activity Operational log are:

Event ID	Description
5857	WMI provider loaded. Records when a WMI provider DLL is loaded into the service - useful for detecting malicious or unexpected providers.
5858	WMI query error. Can reveal reconnaissance activity where an attacker's WMI query fails due to permissions or an invalid namespace.
5860	Temporary event consumer registered. Indicates a transient WMI subscription - typically session-scoped and less persistent than a permanent consumer.
5861	Permanent event consumer registered. The primary persistence indicator. Records the full consumer definition including the script or executable path that fires on the subscribed event trigger.

Forensic Value

Expose fileless persistence: Event ID 5861 documents the complete WMI subscription triplet - Filter, Binding and Consumer. Actors often use WMI to bypass detection mechanisms that target Scheduled Tasks.
Attribute remote WMI execution: Identify the source host and process responsible for remote WMI invocation, supporting lateral movement attribution.
Correlate with WMI repository artifacts: Cross-referencing 5861 events against the live WMI repository confirms whether a subscription remains active.
Detect WMI-based execution chains: Linking WMI events to process creation records reveals the full execution chain from trigger to payload.

For more Info check out these Articles: Scheduled Tasks