WMI-Activity Operational Log

windowsPersistence MechanismsDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Description

WMI Activity operational log capturing Event 5861 (new permanent WMI event subscription created) and Event 5857-5860 (provider loading and query execution errors).

Forensic Value

Event 5861 is the timestamped companion to OBJECTS.DATA persistence analysis, recording exactly when a new WMI event subscription was created and the subscription details including the consumer command. This timestamps the WMI persistence installation whereas OBJECTS.DATA alone does not contain creation timestamps. Provider load events (5857) can reveal malicious WMI providers loaded from unusual paths.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical