Query Details
Wmi3
Query
DeviceProcessEvents | where InitiatingProcessFileName contains "WmiPrvSE.exe" | where FileName != "DismHost.exe" | where FileName != "WerFault.exe" | where InitiatingProcessAccountName == "network service" //find the events run over the network
Explanation
This query is searching for events related to a specific process called "WmiPrvSE.exe". It excludes events related to two other processes called "DismHost.exe" and "WerFault.exe". It also filters the events to only include those where the initiating process account name is "network service", indicating that the events were run over the network.
Details
Daniel Card
Released: September 4, 2023
Tables
DeviceProcessEvents
Keywords
Device,Process,Events,InitiatingProcessFileName,WmiPrvSE.exe,FileName,DismHost.exe,WerFault.exe,InitiatingProcessAccountName,NetworkService
Operators
| summarize count() by EventID
| order by count_ desc
| take 10