EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 5857InformationMicrosoft-Windows-WMI-Activity/OperationalT1546.003

Windows Event ID 5857WMI Provider Activity

Logged when a WMI provider is loaded or invoked. Captures the WMI namespace, provider name, and the initiating process, providing visibility into WMI consumer activity.

MITRE ATT&CK

Technique

T1546.003 · Windows Management Instrumentation Event Subscription

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

WMI is one of the most abused Windows subsystems for persistence, lateral movement, and stealthy execution. WMI event subscriptions (permanent consumers) survive reboots and run without a visible process. Event ID 5857 reveals which WMI providers are being loaded and by what process, helping identify malicious consumers established for persistence or remote command execution.

Key Fields

ProviderNameThe WMI provider being invoked — look for unexpected or custom provider names
HostProcessThe process hosting the provider — WmiPrvSE.exe is normal; other processes are suspicious
NamespaceThe WMI namespace accessed — root\subscription is used for persistence subscriptions
ResultCode0x0 = success; non-zero values indicate errors that may reveal probing activity

Investigation Tips

  1. 1.Access to root\subscription namespace is a primary indicator of WMI persistence — this is where permanent WMI event subscriptions are registered.
  2. 2.Check HostProcess: legitimate WMI runs through WmiPrvSE.exe. If the provider is loaded by powershell.exe, cmd.exe, or an unusual executable, treat it as suspicious.
  3. 3.Correlate with Event ID 5858 (WMI provider errors) — attackers probing WMI or using malformed subscriptions often generate 5858 errors alongside successful 5857 events.
  4. 4.Is this always malicious? No — WMI is extensively used by management tools, monitoring agents (SCCM, Splunk, SolarWinds), and Windows itself. Baseline which providers load in your environment and alert on anomalies.
  5. 5.Pair with Event ID 4688 to identify the parent process that initiated WMI activity — this traces execution back to the original attack vector.

Related Event IDs

5858WMI provider error — failed WMI operations, often paired with probing
4688Process creation — identify the process that invoked WMI
4698Scheduled task created — alternative persistence method alongside WMI

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 5857

See Event ID 5857 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects wmi provider activity patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →