Share via

Unexpected WinRM Operational Events and WSMan Enumeration Failures on Windows 10

ThongLao 0 Reputation points
2026-04-22T03:45:24.75+00:00

I found a lot of activities in the Windows Remote Management "Operational" folder that has me kind of worried. There are literally hundreds of logs for Event 145, 161, and 142 showing up, even though I'm pretty sure I never turned on any remote access features for this machine. The errors keep saying the client cant connect to some destination URI and mention "winrm quickconfig," which is weird because none of my coworkers have these events on there PCs. It looks like the system is constantly trying to enumerate listeners or transfer data in the background and failing with error 2150858770. Does anyone know what background process or corporate software might be triggerring these WinRM connection attempts every few minutes?

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 30,935 Reputation points Independent Advisor
    2026-04-24T06:42:13.13+00:00

    Hi ThongLao,

    How is your issue going? Has it been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)

    VP

    0 comments
  2. VPHAN 30,935 Reputation points Independent Advisor
    2026-04-22T04:09:02.1766667+00:00

    Hi ThongLao,

    To identify the specific software causing this, open the Details tab of one of these events in Event Viewer and look for the ProcessID. You can then match this ID to a specific service in the Details tab of Task Manager. Also, you should check the registry path HKLM\Software\Policies\Microsoft\Windows\WinRM; if you see entries here, it confirms that your IT department is pushing WinRM configurations via Group Policy. The reason your coworkers may not see these errors is likely a difference in their "Network Location Awareness" profile or a GPO that successfully completed the "winrm quickconfig" on their machines but failed on yours due to a local firewall restriction or a corrupted HTTP.sys dependency.

    You can verify your current listener status by running winrm enumerate winrm/config/listener in an elevated Command Prompt. If it returns an empty result, the background attempts will continue to fail and log errors until either the configuration is completed or the management agent targeting your PC is adjusted.

    Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VP

    0 comments
  3. Q&A Assist
    2026-04-22T03:45:43.6933333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    WinRM activity in the Operational log does not necessarily mean that interactive “remote access” was explicitly enabled by the user. Many Windows components and management tools probe WinRM locally or remotely, and when WinRM isn’t fully configured or reachable, they generate repeated connection failures and enumeration errors like the ones described.

    From the provided information, the most relevant causes and triggers are:

    1. Broken or unconfigured WinRM service/listener
      • The errors mentioning winrm quickconfig and failures when enumerating listeners match the scenario where the WinRM service or its listener configuration is broken or missing.
      • In this state, any component that tries to use WinRM (locally or remotely) will log failures such as:
        • “The client cannot connect to the destination specified in the requests… If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: winrm quickconfig.”
      • This is explicitly described as a symptom when the WinRM service and its listener functionality are broken.
    2. Background tools that rely on WinRM
      Several Windows and admin tools use WinRM under the hood and can generate periodic connection attempts:
      • Windows Admin Center or other remote management consoles: These use WinRM to connect to machines. If a gateway or management server is configured to poll or validate connectivity to this PC, it can cause repeated WinRM connection attempts and failures.
      • PowerShell remoting or scripts: Any scheduled task, monitoring agent, or configuration script that uses PowerShell remoting (Enter-PSSession, Invoke-Command, etc.) will rely on WinRM and can generate these events if the local listener or firewall rules are not correctly configured.
      • Event collection / monitoring: Collector-initiated subscriptions or monitoring systems that use WS-Management can cause many connection attempts. When connections fail, they can hold threads until timeout and generate errors in the WinRM Operational log.
    3. Firewall or network profile issues
      • WinRM requires appropriate firewall rules for the current profile (Domain/Private).
      • winrm quickconfig creates firewall exceptions only for the current profile; if the profile changes (for example, from Domain to Private or Public), WinRM traffic may start failing and logging errors until the configuration is updated.
    4. Listener configuration and ports
      • By default, WinRM 2.0 uses port 5985 (HTTP) and 5986 (HTTPS).
      • If the listener is missing, corrupted, or bound incorrectly, any attempt to enumerate listeners (winrm e winrm/config/listener) or connect to the default WS-Man endpoint will fail and log Operational events.
      • The default listener configuration is created by winrm quickconfig; if that was never run successfully or the configuration was later damaged, background WinRM consumers will keep failing.
    5. Group Policy or corporate configuration
      • In a corporate environment, Group Policy can configure WinRM and Windows Remote Shell centrally.
      • A GPO that partially enables or configures WinRM (for example, enabling some settings but not correctly configuring listeners or firewall rules) can cause the OS or management tools to repeatedly probe WinRM and log failures, even if the user never manually enabled remote access.

    Putting this together for the described scenario:

    • The repeated Event 145/161/142 entries and error messages referencing winrm quickconfig strongly indicate that some corporate management or monitoring tool, or a GPO-driven configuration, is trying to use WinRM on this Windows 10 machine.
    • Because the WinRM service or listener configuration is incomplete or broken, each attempt fails with connection errors and WSMan enumeration failures, which are logged in the WinRM Operational log.
    • Coworkers not seeing the same events may have different GPO scope, different management agents installed, or correctly configured WinRM/firewall settings.

    To identify the trigger in an enterprise environment, the most likely sources to investigate are:

    1. Windows Admin Center or other remote management gateways targeting this machine.
    2. Monitoring/management agents or scheduled PowerShell scripts that use WinRM/WS-Management.
    3. Group Policy settings under Computer Configuration → Administrative Templates → Windows Components → Windows Remote Management and Windows Remote Shell that may be enabling or probing WinRM.

    Once the responsible tool or policy is identified, the options are either:

    • Correctly configure WinRM on the machine (service, listener, and firewall) so those connections succeed, or
    • Adjust the tool/policy so it no longer targets this machine via WinRM if remote management is not desired.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.