EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 5857InformationMicrosoft-Windows-WMI-Activity/OperationalT1546.003

Windows Event ID 5857WMI Provider Activity

Logged when a WMI provider is loaded or invoked. Captures the WMI namespace, provider name, and the initiating process, providing visibility into WMI consumer activity.

MITRE ATT&CK

Technique

T1546.003 · Windows Management Instrumentation Event Subscription

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

WMI is one of the most abused Windows subsystems for persistence, lateral movement, and stealthy execution. WMI event subscriptions (permanent consumers) survive reboots and run without a visible process. Event ID 5857 reveals which WMI providers are being loaded and by what process, helping identify malicious consumers established for persistence or remote command execution.

Key Fields

ProviderNameThe WMI provider being invoked — look for unexpected or custom provider names
HostProcessThe process hosting the provider — WmiPrvSE.exe is normal; other processes are suspicious
NamespaceThe WMI namespace accessed — root\subscription is used for persistence subscriptions
ResultCode0x0 = success; non-zero values indicate errors that may reveal probing activity

Investigation Tips

  1. 1.Access to root\subscription namespace is a primary indicator of WMI persistence — this is where permanent WMI event subscriptions are registered.
  2. 2.Check HostProcess: legitimate WMI runs through WmiPrvSE.exe. If the provider is loaded by powershell.exe, cmd.exe, or an unusual executable, treat it as suspicious.
  3. 3.Correlate with Event ID 5858 (WMI provider errors) — attackers probing WMI or using malformed subscriptions often generate 5858 errors alongside successful 5857 events.
  4. 4.Is this always malicious? No — WMI is extensively used by management tools, monitoring agents (SCCM, Splunk, SolarWinds), and Windows itself. Baseline which providers load in your environment and alert on anomalies.
  5. 5.Pair with Event ID 4688 to identify the parent process that initiated WMI activity — this traces execution back to the original attack vector.

Seeing Event ID 5857 in your own logs? Upload an .evtx file — EventPeeker flags wmi provider activity automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

5858WMI provider error — failed WMI operations, often paired with probing
4688Process creation — identify the process that invoked WMI
4698Scheduled task created — alternative persistence method alongside WMI

Go deeper: the full WMI Persistence — Event Subscription Backdoors guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the WMI Persistence — Event Subscription Backdoors guide

See Event ID 5857 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects wmi provider activity patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →