Author Posts

November 14, 2013 at 12:21 pm

So I was looking at informational logs across our servers recently and noticed we're logging a bunch of PowerShell events every 15 minutes.

Usually get a bunch of id 600 like:

Provider "Alias" is Started.

Details:
ProviderName=Alias
NewProviderState=Started

SequenceNumber=7261

HostName=OpsMgr PowerShell Host
HostVersion=7.0.5000.0
HostId=d6025fb5-6f89-47c4-8ed9-4dfda6c181c5
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=

For several providers, FileSystem, Environment, Alias, Registry, Variable, Certificate, WSMan.

Followed by Event 400 and 403.

Engine state is changed from None to Available.

Details:
NewEngineState=Available
PreviousEngineState=None

Engine state is changed from Available to Stopped.

Details:
NewEngineState=Stopped
PreviousEngineState=Available

All within the span of a second or so. These repeat every 15 minutes exactly across hundreds of servers. All refer to OpsMgr PowerShell Host. We're not having any issues, and they're all informational, but I'm not really sure what's going on.

November 14, 2013 at 12:31 pm

My guess would be that you've got a PowerShell script running as a scheduled task every 15 minutes.

November 14, 2013 at 12:31 pm

OpsMan has its own PowerShell host, which is what it uses to run PowerShell scripts. Each time it starts that host (to run a script), for some reason it's logging the fact that the various PSProviders are starting up. Totally normal, except it's a lot of noise. You can probably configure a lower level of logging someone in OpsMan.

You've likely got some shell action running in OpsMan every 15 minutes, which is what's doing it.

November 14, 2013 at 12:35 pm

That makes sense, I hadn't thought of the opsmanager agent running powershell tasks but makes perfect sense now that I do.

Thanks