[collector:] client az-mbox2.ceda.unina2.it.powershell powershell XymonPS [date] Sat 01 Nov 08:56:47 2025 [clock] epoch: 1761983807 local: Sat 01 Nov 08:56:47 2025 UTC: Sat 01 Nov 07:56:47 2025 Time Synchronisation type: NT5DS Leap Indicator: 0(no warning) Stratum: 4 (secondary reference - syncd by (S)NTP) Precision: -23 (119.209ns per tick) Root Delay: 0.0000658s Root Dispersion: 0.0100002s ReferenceId: 0x564D5450 (source IP: 86.77.84.80) Last Successful Sync Time: 11/1/2025 8:56:37 AM Source: VM IC Time Synchronization Provider Poll Interval: 6 (64s) [clientversion] 2.42 [uname] Microsoft Windows Server 2022 Datacenter Azure Edition (build 20348) [cpu] up: 7 days, 0 users, 168 procs, load=2.77% CPU states: total 2.77% cores: 4 CPU PID Image Name Pri Time MemUsage 1.0% 1432 SVC:EventLog 8 07:15:46 28356k 0.5% 13496 powershell 8 00:08:35 141964k 0.4% 7044 SVC:MSComplianceAudit 8 01:43:53 211044k 0.1% 4000 SVC:WinDefend 8 01:21:45 272408k 0.1% 2648 taskhostw 6 00:51:50 90704k 0.1% 900 SVC:KeyIso/Netlogon/SamSs 9 00:46:12 88936k 0.1% 8740 MSExchangeHMWorker 8 00:31:31 573128k 0.1% 11316 updateservice 8 00:05:57 20972k 0.0% 4556 SVC:DPS 8 00:15:55 25568k 0.0% 14204 EdgeTransport 8 00:22:06 1020168k 0.0% 1320 SVC:MSExchangeDiagnostics 8 00:16:33 207152k 0.0% 12788 scanningprocess 8 00:27:30 281996k 0.0% 3836 SVC:MSExchangeHM 8 00:08:14 144792k 0.0% 13100 w3wp 8 00:09:30 684100k 0.0% 4048 SVC:WindowsAzureGuestAgent 8 00:04:20 68468k 0.0% 880 services 9 00:12:40 15964k 0.0% 7036 SVC:MSExchangeEdgeSync 8 00:07:58 105720k 0.0% 3016 SVC:FMS 8 00:08:13 17772k 0.0% 2208 SVC:LanmanWorkstation 8 00:00:52 10856k 0.0% 4648 SVC:ClusSvc 13 00:01:44 34248k 0.0% 10928 w3wp 8 00:04:10 267296k 0.0% 1896 SVC:Dnscache 8 00:01:44 11248k 0.0% 9308 w3wp 8 00:01:49 502456k 0.0% 2020 SVC:Schedule 8 00:02:18 16660k 0.0% 3684 SVC:RdAgent 8 00:03:05 94352k 0.0% 3272 SVC:Winmgmt 8 00:02:37 24084k 0.0% 6948 SVC:MSExchangeSubmission 8 00:04:54 191616k 0.0% 7020 SVC:MSExchangeFrontEndTranspor 8 00:07:42 280640k 0.0% 7124 SVC:MSExchangeRepl 10 00:05:42 211112k 0.0% 8948 Microsoft.Exchange.Pop3 8 00:00:33 188036k 0.0% 5980 w3wp 8 00:01:46 413600k 0.0% 7640 noderunner 8 00:07:58 590488k 0.0% 8184 w3wp 8 00:02:28 391460k 0.0% 2260 w3wp 8 00:02:30 226296k 0.0% 4 System 8 00:08:08 112k 0.0% 952 SVC:RpcEptMapper/RpcSs 8 00:02:10 42144k 0.0% 1340 SVC:vmicheartbeat 8 00:01:36 12124k 0.0% 19684 SVC:SecurityHealthService 8 00:00:00 11984k 0.0% 17032 SVC:XymonPSClient 8 00:00:00 6716k 0.0% 7012 SVC:MSExchangeMailboxReplicati 8 00:00:48 240156k 0.0% 6980 SVC:MSExchangeServiceHost 8 00:02:47 240896k 0.0% 6996 SVC:MSExchangeRPC 8 00:01:34 181044k 0.0% 7004 SVC:MSExchangeIMAP4BE 8 00:00:05 120104k 0.0% 7028 SVC:MSExchangeIS 8 00:00:08 161452k 0.0% 14696 Microsoft.Exchange.Store.Worke 8 00:01:00 876132k 0.0% 7052 SVC:MSExchangeCompliance 8 00:00:05 136240k 0.0% 7060 SVC:MSExchangeFlighting 8 00:01:08 361384k 0.0% 16580 SVC:MSExchangeImap4 8 00:00:07 120056k 0.0% 14744 conhost 8 00:00:01 14092k 0.0% 7068 SVC:MSExchangeMitigation 8 00:00:38 268276k 0.0% 6344 w3wp 8 00:02:32 488704k 0.0% 6804 noderunner 8 00:00:31 182636k 0.0% 6896 Microsoft.Exchange.Pop3 8 00:00:12 148200k 0.0% 6208 dllhost 8 00:00:00 12796k 0.0% 5988 w3wp 8 00:01:02 283756k 0.0% 6048 conhost 8 00:00:00 10908k 0.0% 6184 SVC:MSExchangeMailboxAssistant 8 00:00:04 245764k 0.0% 20160 SVC:StateRepository 8 00:00:00 12272k 0.0% 23052 SVC:Appinfo 8 00:00:00 6724k 0.0% 19920 conhost 8 00:00:00 10888k 0.0% 6972 SVC:MSExchangePOP3BE 8 00:00:06 119644k 0.0% 21960 SVC:wuauserv 8 00:00:00 17332k 0.0% 6956 SVC:MSExchangePop3 8 00:00:05 120112k 0.0% 6964 SVC:MSExchangeThrottling 8 00:00:01 106416k 0.0% 7076 SVC:MSExchangeFastSearch 8 00:00:07 141372k 0.0% 9272 conhost 8 00:00:00 10792k 0.0% 12940 SVC:StorSvc 8 00:00:01 15536k 0.0% 9316 w3wp 8 00:00:50 273424k 0.0% 9228 conhost 8 00:00:00 10796k 0.0% 13380 SVC:CDPSvc 8 00:00:00 12132k 0.0% 9152 SVC:DsSvc 8 00:00:09 11040k 0.0% 13308 SVC:PcaSvc 8 00:00:00 12500k 0.0% 9700 SVC:TabletInputService 8 00:00:00 7800k 0.0% 10352 WaSecAgentProv 8 00:00:00 4292k 0.0% 12432 ForefrontActiveDirectoryConnec 8 00:00:05 139184k 0.0% 9512 SVC:MSDTC 8 00:00:00 11712k 0.0% 12724 SVC:MSExchangeTransport 8 00:00:02 108500k 0.0% 9384 w3wp 8 00:00:49 368936k 0.0% 12604 scanningprocess 8 00:07:42 179492k 0.0% 9028 conhost 8 00:00:00 10784k 0.0% 14412 SVC:UsoSvc 8 00:00:00 12836k 0.0% 14372 Microsoft.Exchange.Imap4 8 00:02:09 190252k 0.0% 7872 Microsoft.Exchange.Imap4 8 00:00:31 184984k 0.0% 14512 SVC:WinRM 8 00:00:01 17600k 0.0% 7084 SVC:MSExchangeTransportLogSear 8 00:00:31 128348k 0.0% 7092 SVC:MSExchangeDagMgmt 8 00:00:09 192932k 0.0% 7100 SVC:MSExchangeAntispamUpdate 8 00:00:01 33324k 0.0% 13596 rhs 13 00:00:05 12848k 0.0% 8756 SVC:TokenBroker 8 00:00:00 16060k 0.0% 8796 conhost 8 00:00:00 10804k 0.0% 8344 noderunner 8 00:00:20 171320k 0.0% 7884 noderunner 8 00:00:35 189116k 0.0% 14216 conhost 8 00:00:00 10872k 0.0% 13936 SVC:WdiServiceHost 8 00:00:00 6664k 0.0% 1708 SVC:ProfSvc 8 00:00:00 13460k 0.0% 1680 SVC:Dhcp 8 00:00:56 8516k 0.0% 1724 SVC:gpsvc 8 00:00:02 13992k 0.0% 1716 SVC:Themes 8 00:00:00 6180k 0.0% 1664 dwm 13 00:00:03 44696k 0.0% 1484 SVC:CertPropSvc 8 00:00:00 7304k 0.0% 1448 SVC:NlaSvc 8 00:00:00 13132k 0.0% 1628 SVC:nsi 8 00:00:02 10472k 0.0% 1556 LogonUI 13 00:01:27 46304k 0.0% 2160 SVC:ShellHWDetection 8 00:00:00 13128k 0.0% 2124 SVC:AppHostSvc 8 00:00:00 12616k 0.0% 2300 SVC:CoreMessagingRegistrar 8 00:00:00 6508k 0.0% 2232 SVC:FontCache 8 00:00:00 7548k 0.0% 2088 SVC:WdNisSvc 8 00:00:39 14060k 0.0% 1844 SVC:UmRdpService 8 00:00:00 8464k 0.0% 1748 SVC:EventSystem 8 00:00:01 8648k 0.0% 2064 SVC:Wcmsvc 8 00:00:00 9156k 0.0% 1908 SVC:SENS 8 00:00:00 8824k 0.0% 1392 SVC:vmictimesync 8 00:00:06 6376k 0.0% 736 wininit 13 00:00:00 7292k 0.0% 656 csrss 13 00:00:13 7188k 0.0% 808 winlogon 13 00:00:00 10528k 0.0% 744 csrss 13 00:00:00 6056k 0.0% 580 fontdrvhost 8 00:00:00 4012k 0.0% 116 Registry 8 00:00:04 97588k 0.0% 0 Idle 0 8k 0.0% 576 fontdrvhost 8 00:00:00 4124k 0.0% 516 smss 11 00:00:00 1228k 0.0% 1248 SVC:NcbService 8 00:00:00 10036k 0.0% 1240 SVC:TimeBrokerSvc 8 00:00:00 12292k 0.0% 1360 SVC:vmicshutdown 8 00:00:00 6280k 0.0% 1352 SVC:vmickvpexchange 8 00:00:29 6512k 0.0% 1172 SVC:lmhosts 8 00:00:00 6652k 0.0% 1052 SVC:LSM 8 00:00:07 11116k 0.0% 1016 SVC:BrokerInfrastructure/DcomL 8 00:00:20 25152k 0.0% 1168 SVC:W32Time 8 00:00:06 8732k 0.0% 1120 SVC:TermService 8 00:00:17 27588k 0.0% 4080 SVC:WMSVC 8 00:00:00 23464k 0.0% 3912 SVC:TrkWks 8 00:00:00 6060k 0.0% 4272 rhs 13 00:00:00 16412k 0.0% 4120 SVC:WpnService 8 00:00:00 12076k 0.0% 3900 scanningprocess 8 00:07:26 179376k 0.0% 3828 SVC:MSExchangeHMRecovery 8 00:00:00 36836k 0.0% 3756 SVC:SearchExchangeTracing 8 00:01:07 16796k 0.0% 3892 SVC:SysMain 8 00:00:00 7140k 0.0% 3880 SVC:sacsvr 8 00:00:00 5728k 0.0% 5724 w3wp 8 00:00:15 255332k 0.0% 5624 SVC:NetMsmqActivator 8 00:00:00 17784k 0.0% 5972 w3wp 8 00:00:44 185356k 0.0% 5832 SVC:MSExchangeDelivery 8 00:02:40 192624k 0.0% 5324 SVC:PolicyAgent 8 00:00:00 8008k 0.0% 4504 SVC:RasMan 8 00:00:00 13496k 0.0% 4468 SVC:UALSVC 8 00:00:09 15424k 0.0% 4856 SVC:MSExchangeADTopology 8 00:01:28 153864k 0.0% 4604 AggregatorHost 8 00:00:02 6412k 0.0% 3640 SVC:pla 8 00:00:02 7396k 0.0% 2756 SVC:UserManager 8 00:00:00 9464k 0.0% 2748 SVC:HostControllerService 8 00:01:55 94276k 0.0% 2876 SVC:DispBrokerDesktopSvc 8 00:00:00 7400k 0.0% 2788 SVC:DiagTrack 8 00:00:52 42920k 0.0% 2512 SVC:netprofm 8 00:00:02 11368k 0.0% 2400 SVC:WinHttpAutoProxySvc 8 00:00:07 8276k 0.0% 2352 SVC:BFE/mpssvc 8 00:00:10 23564k 0.0% 2504 SVC:CryptSvc 8 00:00:11 14972k 0.0% 2496 SVC:SessionEnv 8 00:00:00 10424k 0.0% 3580 SVC:W3SVC/WAS 8 00:00:35 16100k 0.0% 3556 SVC:LanmanServer 8 00:00:02 9324k 0.0% 3632 SVC:SstpSvc 8 00:00:00 7632k 0.0% 3588 SVC:MSMQ 8 00:00:00 15152k 0.0% 3496 SVC:NetPipeActivator/NetTcpAct 8 00:00:03 38680k 0.0% 3080 SVC:iphlpsvc 8 00:00:00 10516k 0.0% 3064 SVC:Spooler 8 00:00:09 27312k 0.0% 3484 SVC:MDCoreSvc 8 00:00:10 29796k 0.0% 3140 SVC:IISADMIN 8 00:02:46 30444k [disk] Filesystem 1K-blocks Used Avail Capacity Mounted Label Summary(Total\Avail GB) C 132589516 83523268 49066248 63% /FIXED/C:\ Windows 126.45\46.79 Exch-DB\Az-DB01 1073723388 134031416 939691972 12% /FIXED/C:\Exch-DB\Az-DB01\ Az-DB01 1023.98\896.16 [memory] memory Total Used physical: 32717 12968 virtual: 37581 19276 page: 4864 1343 [msgs:EventlogSummary] LogMode MaximumSizeInBytes RecordCount LogName ------- ------------------ ----------- ------- Circular 163840000 207655 Security Circular 133103616 454968 System Circular 133103616 319628 Application [msgs:eventlog_Security] Information - 11/01/2025 08:56:29 - [4627] - Microsoft-Windows-Security-Auditing - Group membership information. Subject: Security ID: S-1-5-20 Account Name: AZ-MBOX2$ Account Domain: CEDA Logon ID: 0x3E4 Logon Type: 8 New Logon: Security ID: S-1-5-21-763260921-2130689516-753475539-41932 Account Name: HealthMailbox9d8937c Account Domain: CEDA Logon ID: 0x35A4EB87 Event in sequence: 1 of 1 Group Membership: %{S-1-5-21-763260921-2130689516-753475539-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. [msgs:eventlog_System] [msgs:eventlog_Application] [procs] PID User WorkingSet/Peak VirtualMem/Peak PagedMem/Peak NPS Handles %CPU Start Time Elapsed Name Command 1432 NT AUTHORITY\LOCAL SERVICE 28356/41164 2151801184/2152336840 23268/37392 18 568 1.0 2025-10-25 03:15:45 10421 SVC:EventLog C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog 13496 NT AUTHORITY\SYSTEM 141964/206680 2152415392/2152456480 123564/189828 37 556 0.5 2025-11-01 02:00:03 416 powershell "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File "C:\Program Files\xymon\xymonclient.ps1" 7044 NT AUTHORITY\SYSTEM 211044/246000 5272900/5318728 206284/245056 69 1239 0.4 2025-10-25 03:15:55 10421 SVC:MSComplianceAudit "C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe" 4000 Unknown 272408/1130800 2152938112/2154072420 307116/1146744 240 888 0.1 2025-10-25 03:15:49 10421 SVC:WinDefend 2648 NT AUTHORITY\SYSTEM 90704/101056 2152498296/2186089232 102680/109456 73 2071 0.1 2025-10-25 03:15:49 10421 taskhostw taskhostw.exe ExploitGuardPolicy 900 NT AUTHORITY\SYSTEM 88936/111616 2151882532/2151883592 72004/94828 40 32018 0.1 2025-10-25 03:15:44 10421 SVC:KeyIso/Netlogon/SamSs C:\Windows\system32\lsass.exe 8740 NT AUTHORITY\SYSTEM 573128/654252 5817476/5867568 506692/588096 169 3844 0.1 2025-10-25 03:16:03 10420 MSExchangeHMWorker "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe" -pipe:3760 -stopkey:Global\ExchangeStopKey-3d947ddc-662f-4ef0-a8c0-eee5ec5acacf -resetkey:Global\ExchangeResetKey-7f921d83-f11a-4ad4-a289-212e2c23ed87 -readykey:Global\ExchangeReadyKey-24784294-44bc-4588-b826-281fdbd492f9 -hangkey:Global\ExchangeHangKey-74ce37e9-2772-46a9-a9c4-e3e2fef3d403 -startUpProgressKey:Global\ExchangeProgressKey-e1560923-2ed3-45f2-89bd-58b61fcfa9b0 -workerListening 11316 NT AUTHORITY\NETWORK SERVICE 20972/154568 4310496/4444844 8540/8904 16 459 0.1 2025-10-25 03:16:38 10420 updateservice "C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe" -Embedding 4556 NT AUTHORITY\LOCAL SERVICE 25568/30608 2151841412/2152121740 24340/26624 20 316 0.0 2025-10-25 03:19:09 10417 SVC:DPS C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS 14204 NT AUTHORITY\NETWORK SERVICE 1020168/1728284 24273416/24467944 1310160/1842648 133 5299 0.0 2025-10-25 03:17:24 10419 EdgeTransport "C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe" -pipe:2880 -stopkey:Global\ExchangeStopKey-22303d25-6ba7-4c14-851a-8ff7388552f3 -resetkey:Global\ExchangeResetKey-f8871e04-ec1b-4aed-9b04-89458b55d972 -readykey:Global\ExchangeReadyKey-b1501133-5df3-4335-acdf-ada1f863d76d -hangkey:Global\ExchangeHangKey-34bdb270-0191-47e3-8969-c4d01fc69999 -startUpProgressKey:Global\ExchangeProgressKey-d0754c2b-7955-4811-b90d-c53015e8955c -workerListening 1320 NT AUTHORITY\SYSTEM 207152/271676 5307392/5351756 217388/292952 102 2489 0.0 2025-10-25 03:19:10 10417 SVC:MSExchangeDiagnostics "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe" 12788 NT AUTHORITY\LOCAL SERVICE 281996/1123016 5479928/6323568 623516/1446064 301 889 0.0 2025-10-25 03:17:05 10419 scanningprocess "C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe" -Embedding 3836 NT AUTHORITY\SYSTEM 144792/146636 5210288/5226640 144408/146116 63 1013 0.0 2025-10-25 03:15:49 10421 SVC:MSExchangeHM "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe" 13100 NT AUTHORITY\SYSTEM 684100/769428 2153332032/2153350272 626112/711656 225 2242 0.0 2025-10-25 03:18:23 10418 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangePowerShellAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipm0af2a6eb-7379-4ee8-9b62-4a8aa8c428a0 -h "C:\inetpub\temp\apppools\MSExchangePowerShellAppPool\MSExchangePowerShellAppPool.config" -w "" -m 0 4048 NT AUTHORITY\SYSTEM 68468/85012 4899568/4933112 51036/67664 37 623 0.0 2025-10-25 03:15:50 10421 SVC:WindowsAzureGuestAgent C:\WindowsAzure\GuestAgent_2.7.41491.1172_2025-08-27_190106\WindowsAzureGuestAgent.exe 880 Unknown 15964/18148 2151768148/2152315592 7472/14560 16 814 0.0 2025-10-25 03:15:44 10421 services 7036 NT AUTHORITY\SYSTEM 105720/107484 5035820/5039148 97996/100024 46 669 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeEdgeSync "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe" 3016 NT AUTHORITY\SYSTEM 17772/18212 4294884/4295832 8140/8492 15 353 0.0 2025-10-25 03:15:49 10421 SVC:FMS "C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe" 2208 NT AUTHORITY\NETWORK SERVICE 10856/10920 2151765720/2151773912 2516/2680 15 249 0.0 2025-10-25 03:15:49 10421 SVC:LanmanWorkstation C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation 4648 NT AUTHORITY\SYSTEM 34248/34316 2151815036/2151828736 13784/14736 38 1028 0.0 2025-10-25 03:15:50 10421 SVC:ClusSvc C:\Windows\Cluster\clussvc.exe -s 10928 NT AUTHORITY\SYSTEM 267296/327964 2152923776/2152994092 270068/341256 117 1247 0.0 2025-10-25 03:20:02 10416 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeMapiMailboxAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\MSExchangeMapiMailboxAppPool_CLRConfig.config" -a \\.\pipe\iisipmab8cd8e4-1f65-462a-9cd3-d4f7f016c2d8 -h "C:\inetpub\temp\apppools\MSExchangeMapiMailboxAppPool\MSExchangeMapiMailboxAppPool.config" -w "" -m 0 1896 NT AUTHORITY\NETWORK SERVICE 11248/11480 2151802948/2151812172 5104/5300 19 364 0.0 2025-10-25 03:15:49 10421 SVC:Dnscache C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache 9308 NT AUTHORITY\SYSTEM 502456/650344 2153499964/2153502012 533088/659148 222 3666 0.0 2025-10-25 03:16:07 10420 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeServicesAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipm6debd7f8-3ee7-4efc-b01d-62135ab0c2bc -h "C:\inetpub\temp\apppools\MSExchangeServicesAppPool\MSExchangeServicesAppPool.config" -w "" -m 0 2020 NT AUTHORITY\SYSTEM 16660/62700 2151862216/2151879920 5856/61796 20 379 0.0 2025-10-25 03:15:49 10421 SVC:Schedule C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule 3684 NT AUTHORITY\SYSTEM 94352/142644 4884596/4953484 79044/128484 48 1581 0.0 2025-10-25 03:15:49 10421 SVC:RdAgent C:\WindowsAzure\GuestAgent_2.7.41491.1172_2025-08-27_190106\WaAppAgent.exe 3272 NT AUTHORITY\SYSTEM 24084/30796 2151836660/2151860696 12760/19680 18 390 0.0 2025-10-25 03:15:49 10421 SVC:Winmgmt C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt 6948 NT AUTHORITY\SYSTEM 191616/193044 5332900/5427360 193120/196908 78 1574 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeSubmission "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe" 7020 NT AUTHORITY\SYSTEM 280640/452696 22875544/22993048 439300/592788 88 1493 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeFrontEndTransport "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe" 7124 NT AUTHORITY\SYSTEM 211112/213892 6030144/6033256 260968/264368 117 1757 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeRepl "C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe" 8948 NT AUTHORITY\NETWORK SERVICE 188036/192796 5081976/5110152 155864/171840 92 1171 0.0 2025-10-25 03:16:04 10420 Microsoft.Exchange.Pop3 "C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe" -pipe:1492 -stopkey:Global\ExchangeStopKey-db3054fd-3ec4-4e26-a2f0-5ae079a6ace6 -resetkey:Global\ExchangeResetKey-458cfa04-7215-41dd-be5e-fc3a5e79794d -readykey:Global\ExchangeReadyKey-afae800f-8ec0-41e9-9dc6-43d767220fea -hangkey:Global\ExchangeHangKey-e7eb2b90-958a-42a0-8fc4-451907eb80a8 -startUpProgressKey:Global\ExchangeProgressKey-67a3acc8-6772-4549-8857-59ddfb9f0b37 5980 NT AUTHORITY\SYSTEM 413600/413604 2153280180/2153285116 427616/427636 207 3137 0.0 2025-10-25 03:15:52 10421 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeOWAAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipmdf81ec9d-97b3-41cd-9d68-11955436a381 -h "C:\inetpub\temp\apppools\MSExchangeOWAAppPool\MSExchangeOWAAppPool.config" -w "" -m 0 7640 NT AUTHORITY\SYSTEM 590488/666416 24174928/24183116 702096/783804 240 2144 0.0 2025-10-25 03:15:58 10421 noderunner "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe" --noderoot "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\ContentEngineNode1" --addfrom "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\ContentEngineNode1\Configuration\Local\Node.ini" --tracelog "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\ContentEngineNode1\Logs\NodeRunner.log" --applicationbase "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0" 8184 NT AUTHORITY\SYSTEM 391460/396868 2153047808/2153049344 368540/384392 180 2742 0.0 2025-10-25 03:16:07 10420 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeAutodiscoverAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipm3a5eab29-8cb1-4659-8142-cc693facec3f -h "C:\inetpub\temp\apppools\MSExchangeAutodiscoverAppPool\MSExchangeAutodiscoverAppPool.config" -w "" -m 0 2260 NT AUTHORITY\SYSTEM 226296/226344 2152807600/2152809904 236848/236952 135 1126 0.0 2025-10-25 03:18:52 10418 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeRpcProxyAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\MSExchangeRpcProxyAppPool_CLRConfig.config" -a \\.\pipe\iisipm4007e47c-65a5-4d21-9310-1cb5f7195ff9 -h "C:\inetpub\temp\apppools\MSExchangeRpcProxyAppPool\MSExchangeRpcProxyAppPool.config" -w "" -m 0 4 Unknown 112/1876 3968/15296 36/56 0 3074 0.0 2025-10-25 03:15:40 10421 System 952 NT AUTHORITY\NETWORK SERVICE 42144/42168 2151796584/2151803752 35340/35408 25 1343 0.0 2025-10-25 03:15:44 10421 SVC:RpcEptMapper/RpcSs C:\Windows\system32\svchost.exe -k RPCSS -p 1340 NT AUTHORITY\SYSTEM 12124/12184 2151771048/2151777316 2936/3112 16 219 0.0 2025-10-25 03:15:45 10421 SVC:vmicheartbeat C:\Windows\system32\svchost.exe -k ICService -p -s vmicheartbeat 19684 Unknown 11984/12092 2151758232/2151761304 2568/2724 11 195 0.0 2025-10-28 04:30:50 6026 SVC:SecurityHealthService 17032 NT AUTHORITY\SYSTEM 6716/6952 4267672/4272792 1960/2272 8 123 0.0 2025-11-01 02:00:03 416 SVC:XymonPSClient "C:\Program Files\xymon\nssm.exe" 7012 NT AUTHORITY\SYSTEM 240156/263340 13890544/13896944 328728/352616 74 1569 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeMailboxReplication "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe" 6980 NT AUTHORITY\SYSTEM 240896/243868 5490696/5502048 230936/235440 111 2221 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeServiceHost "C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe" 6996 NT AUTHORITY\SYSTEM 181044/181572 5297940/5301344 173640/174728 78 1107 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeRPC "C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe" 7004 NT AUTHORITY\NETWORK SERVICE 120104/120156 5003708/5011968 99844/100092 65 990 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeIMAP4BE "C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe" 7028 NT AUTHORITY\SYSTEM 161452/162036 5240648/5244744 162140/163272 68 967 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeIS "C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe" 14696 NT AUTHORITY\SYSTEM 876132/885608 6602552/6642096 1023128/1036124 90 1124 0.0 2025-10-25 03:19:30 10417 Microsoft.Exchange.Store.Worker "C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe" -id:59fc8808-844b-4244-a2bb-6a83f1ba6f3e -dag:35ceee8a-1604-4bb6-bd1a-765ff0ac7606 -pipe:1852 -readykey:Global\WorkerReadyKey-0983da83-8c01-4db2-9120-89069bb10727 7052 NT AUTHORITY\SYSTEM 136240/138416 5235404/5245900 143496/145920 60 1141 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeCompliance "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe" 7060 NT AUTHORITY\SYSTEM 361384/377480 5493680/5642456 338672/364688 103 2398 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeFlighting "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Management.Flighting.Service.exe" 16580 NT AUTHORITY\SYSTEM 120056/120172 5001672/5012232 99268/99560 67 985 0.0 2025-10-25 03:38:53 10398 SVC:MSExchangeImap4 "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe" 14744 NT AUTHORITY\SYSTEM 14092/14092 2151770496/2151772544 6668/6696 10 148 0.0 2025-11-01 02:00:03 416 conhost \??\C:\Windows\system32\conhost.exe 0x4 7068 NT AUTHORITY\SYSTEM 268276/269164 5482960/5626564 251492/272256 103 2462 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeMitigation "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Mitigation.Service.exe" 6344 NT AUTHORITY\SYSTEM 488704/508572 2161603216/2161605264 491556/502896 190 2862 0.0 2025-10-25 03:15:53 10421 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeSyncAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\MSExchangeSyncAppPool_CLRConfig.config" -a \\.\pipe\iisipm2abe2521-d27d-4eb7-aeb2-2b510d1cba34 -h "C:\inetpub\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config" -w "" -m 0 6804 NT AUTHORITY\SYSTEM 182636/182760 5141352/5149980 166172/166444 132 1376 0.0 2025-10-25 03:15:55 10421 noderunner "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe" --noderoot "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\AdminNode1" --addfrom "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\AdminNode1\Configuration\Local\Node.ini" --tracelog "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\AdminNode1\Logs\NodeRunner.log" 6896 NT AUTHORITY\SYSTEM 148200/191376 5045312/5110108 124412/171936 71 1313 0.0 2025-10-25 03:16:07 10420 Microsoft.Exchange.Pop3 "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe" -pipe:1532 -stopkey:Global\ExchangeStopKey-61ef957d-42d1-4037-b309-614c764dd61a -resetkey:Global\ExchangeResetKey-3599abf3-bd72-4617-875d-0ff33c206c9d -readykey:Global\ExchangeReadyKey-1254c1de-2e4a-4cba-b020-c8351e9ec113 -hangkey:Global\ExchangeHangKey-4e6439ce-f04e-4169-b39e-f17bbcc1fe2b -startUpProgressKey:Global\ExchangeProgressKey-b2186131-3596-40b4-b76a-9c27af01a010 6208 NT AUTHORITY\SYSTEM 12796/12900 2152037920/2152043652 3688/3904 18 211 0.0 2025-10-25 03:15:52 10421 dllhost C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} 5988 NT AUTHORITY\SYSTEM 283756/283824 2152887076/2152889004 273668/274772 130 2040 0.0 2025-10-25 03:15:52 10421 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeECPAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipm4504a3b2-6105-48f3-ba4e-e730ccb29b63 -h "C:\inetpub\temp\apppools\MSExchangeECPAppPool\MSExchangeECPAppPool.config" -w "" -m 0 6048 NT AUTHORITY\SYSTEM 10908/10964 2151757412/2151760480 6232/6344 8 87 0.0 2025-10-25 03:38:54 10398 conhost \??\C:\Windows\system32\conhost.exe 0x4 6184 NT AUTHORITY\SYSTEM 245764/245764 5535440/5538300 269816/269824 84 2456 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeMailboxAssistants "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe" 20160 NT AUTHORITY\SYSTEM 12272/16800 2151759484/2151779712 4708/8268 10 149 0.0 2025-10-26 10:53:35 8523 SVC:StateRepository C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository 23052 NT AUTHORITY\SYSTEM 6724/6872 2151744736/2151754900 1324/1600 8 125 0.0 2025-10-26 10:53:37 8523 SVC:Appinfo C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo 19920 NT AUTHORITY\SYSTEM 10888/10916 2151757412/2151759460 6232/6308 8 87 0.0 2025-11-01 08:19:13 37 conhost \??\C:\Windows\system32\conhost.exe 0x4 6972 NT AUTHORITY\NETWORK SERVICE 119644/119732 5002408/5011948 99316/99676 65 933 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangePOP3BE "C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe" 21960 NT AUTHORITY\SYSTEM 17332/17400 2152062880/2152070112 8492/8904 25 311 0.0 2025-11-01 08:48:11 8 SVC:wuauserv C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv 6956 NT AUTHORITY\SYSTEM 120112/120296 5001328/5011892 99824/100224 67 827 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangePop3 "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe" 6964 NT AUTHORITY\NETWORK SERVICE 106416/106484 5156576/5165088 124400/124560 53 1113 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeThrottling "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe" 7076 NT AUTHORITY\SYSTEM 141372/142964 5211252/5268040 166120/166208 59 1757 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeFastSearch "C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe" 9272 NT AUTHORITY\NETWORK SERVICE 10792/10852 2151757412/2151760484 6236/6352 8 87 0.0 2025-10-25 03:16:07 10420 conhost \??\C:\Windows\system32\conhost.exe 0x4 12940 NT AUTHORITY\SYSTEM 15536/16080 2151778076/2151792412 3316/4164 14 254 0.0 2025-10-25 03:17:18 10419 SVC:StorSvc C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p 9316 NT AUTHORITY\SYSTEM 273424/612368 2170267868/2170304224 303136/652228 98 2072 0.0 2025-10-25 03:16:07 10420 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeMapiFrontEndAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\MSExchangeMapiFrontEndAppPool_CLRConfig.config" -a \\.\pipe\iisipmf190cda7-8c5b-4dce-b445-a9bbfff55736 -h "C:\inetpub\temp\apppools\MSExchangeMapiFrontEndAppPool\MSExchangeMapiFrontEndAppPool.config" -w "" -m 0 9228 NT AUTHORITY\SYSTEM 10796/10856 2151757412/2151760484 6248/6360 8 87 0.0 2025-10-25 03:16:07 10420 conhost \??\C:\Windows\system32\conhost.exe 0x4 13380 NT AUTHORITY\LOCAL SERVICE 12132/12192 2151774400/2151788736 2372/2932 12 204 0.0 2025-10-25 03:19:09 10417 SVC:CDPSvc C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc 9152 NT AUTHORITY\SYSTEM 11040/11076 2152300008/2152309224 6368/6748 16 192 0.0 2025-10-25 11:15:50 9941 SVC:DsSvc C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc 13308 NT AUTHORITY\SYSTEM 12500/13624 2151776128/2151790296 4620/5260 14 265 0.0 2025-10-25 03:19:10 10417 SVC:PcaSvc C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc 9700 NT AUTHORITY\SYSTEM 7800/7868 2151747752/2151755088 1508/1756 10 159 0.0 2025-10-26 10:53:36 8523 SVC:TabletInputService C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TabletInputService 10352 NT AUTHORITY\SYSTEM 4292/4336 2151735060/2151741204 1104/1232 6 78 0.0 2025-11-01 08:19:13 37 WaSecAgentProv "C:\WindowsAzure\SecAgent\WaSecAgentProv.exe" -startPoll C:\WindowsAzure\Logs\ 168.63.129.16 5248000 3600000 21600000 12432 NT AUTHORITY\NETWORK SERVICE 139184/139364 5066904/5079120 119064/119864 56 1099 0.0 2025-10-25 03:16:53 10420 ForefrontActiveDirectoryConnector "C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe" -Embedding 9512 NT AUTHORITY\NETWORK SERVICE 11712/13200 2151766336/2151769380 3160/4464 17 252 0.0 2025-10-25 03:19:10 10417 SVC:MSDTC C:\Windows\System32\msdtc.exe 12724 NT AUTHORITY\NETWORK SERVICE 108500/108604 5157248/5171712 124484/124696 52 1115 0.0 2025-10-25 03:17:18 10419 SVC:MSExchangeTransport "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe" 9384 NT AUTHORITY\SYSTEM 368936/558792 2170246700/2170295992 420360/599088 87 1826 0.0 2025-10-25 03:16:08 10420 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeRpcProxyFrontEndAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\MSExchangeRpcProxyFrontEndAppPool_CLRConfig.config" -a \\.\pipe\iisipmf5456a3c-e95a-4189-8828-6e1af36ddaa3 -h "C:\inetpub\temp\apppools\MSExchangeRpcProxyFrontEndAppPool\MSExchangeRpcProxyFrontEndAppPool.config" -w "" -m 0 12604 NT AUTHORITY\LOCAL SERVICE 179492/976836 5378644/6224464 554652/1374020 289 551 0.0 2025-10-25 03:17:05 10419 scanningprocess "C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe" -Embedding 9028 NT AUTHORITY\NETWORK SERVICE 10784/10844 2151757412/2151760484 6240/6352 8 87 0.0 2025-10-25 03:16:05 10420 conhost \??\C:\Windows\system32\conhost.exe 0x4 14412 NT AUTHORITY\SYSTEM 12836/13200 2151768852/2151784212 2916/3792 15 236 0.0 2025-10-25 03:19:16 10417 SVC:UsoSvc C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc 14372 NT AUTHORITY\SYSTEM 190252/204060 5067260/5109736 147304/171496 79 1270 0.0 2025-10-25 03:38:54 10398 Microsoft.Exchange.Imap4 "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe" -pipe:1512 -stopkey:Global\ExchangeStopKey-877ce66b-2af2-4779-98fe-1e677846f659 -resetkey:Global\ExchangeResetKey-eda206fa-a8dd-4529-9792-dd23dc70626d -readykey:Global\ExchangeReadyKey-fb75282a-c1e2-4ba7-9ecf-68b20386c446 -hangkey:Global\ExchangeHangKey-0af90441-8c80-4c50-99be-ce1e13e9374f -startUpProgressKey:Global\ExchangeProgressKey-e5b669b5-a8fb-4478-8eb9-caaad60c9764 7872 NT AUTHORITY\NETWORK SERVICE 184984/192088 5084732/5109900 154612/171640 93 1276 0.0 2025-10-25 03:16:07 10420 Microsoft.Exchange.Imap4 "C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe" -pipe:1492 -stopkey:Global\ExchangeStopKey-faa7b5ee-ce6d-47e3-99b2-02f9d355dd70 -resetkey:Global\ExchangeResetKey-9dc9e7bd-f182-43e2-864a-772db50d51ee -readykey:Global\ExchangeReadyKey-4dc66b81-cb60-497e-b244-39c8ea09c4ad -hangkey:Global\ExchangeHangKey-f5d9416a-fb2a-4933-b1e0-c40d7492dbef -startUpProgressKey:Global\ExchangeProgressKey-0b81d06b-375f-48a2-ba22-9be8cd200fc5 14512 NT AUTHORITY\NETWORK SERVICE 17600/22388 2151813544/2151821900 4484/8760 18 294 0.0 2025-10-25 03:19:16 10417 SVC:WinRM C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM 7084 NT AUTHORITY\SYSTEM 128348/128452 5091680/5096032 127596/128568 51 826 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeTransportLogSearch "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe" 7092 NT AUTHORITY\SYSTEM 192932/196784 5231736/5245732 161428/165692 77 990 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeDagMgmt "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe" 7100 NT AUTHORITY\SYSTEM 33324/33444 4841920/4848320 34964/35168 23 700 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeAntispamUpdate "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe" 13596 NT AUTHORITY\SYSTEM 12848/12968 2151769108/2151774228 3540/3860 15 249 0.0 2025-10-25 03:19:02 10417 rhs C:\Windows\Cluster\rhs.exe -key SYSTEM\CurrentControlSet\Services\ClusSvc\Parameters\Rhs\1381e993-700b-46e8-b5c0-cdfcb4365420 -parentPid 4648 -initEvent 7394bf27-af8c-44cd-9090-2a2dce431090 -replyEndpoint LRPC-53caccf56a051a464b 8756 NT AUTHORITY\SYSTEM 16060/21864 2151782176/2151813676 3048/4024 13 225 0.0 2025-10-26 10:53:36 8523 SVC:TokenBroker C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker 8796 NT AUTHORITY\SYSTEM 10804/10844 2151757412/2151759460 6240/6328 8 87 0.0 2025-10-25 03:16:03 10420 conhost \??\C:\Windows\system32\conhost.exe 0x4 8344 NT AUTHORITY\SYSTEM 171320/171996 5144720/5185028 155648/155780 129 1135 0.0 2025-10-25 03:16:01 10420 noderunner "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe" --noderoot "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\InteractionEngineNode1" --addfrom "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\InteractionEngineNode1\Configuration\Local\Node.ini" --tracelog "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\InteractionEngineNode1\Logs\NodeRunner.log" 7884 NT AUTHORITY\SYSTEM 189116/189800 6034500/6084972 175328/175516 160 1613 0.0 2025-10-25 03:15:58 10421 noderunner "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe" --noderoot "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\IndexNode1" --addfrom "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\IndexNode1\Configuration\Local\Node.ini" --tracelog "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis\IndexNode1\Logs\NodeRunner.log" 14216 NT AUTHORITY\NETWORK SERVICE 10872/10916 2151757412/2151759460 6228/6312 8 87 0.0 2025-10-25 03:17:24 10419 conhost \??\C:\Windows\system32\conhost.exe 0x4 13936 NT AUTHORITY\LOCAL SERVICE 6664/6704 2151751744/2151756864 1584/1884 9 124 0.0 2025-10-25 03:19:10 10417 SVC:WdiServiceHost C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost 1708 NT AUTHORITY\SYSTEM 13460/13568 2151779296/2151788512 2904/3268 13 225 0.0 2025-10-25 03:15:49 10421 SVC:ProfSvc C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc 1680 NT AUTHORITY\LOCAL SERVICE 8516/8700 2151757448/2151769736 2464/3232 11 249 0.0 2025-10-25 03:15:49 10421 SVC:Dhcp C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp 1724 NT AUTHORITY\SYSTEM 13992/14608 2151768376/2151779412 3064/3488 17 278 0.0 2025-10-25 03:15:49 10421 SVC:gpsvc C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc 1716 NT AUTHORITY\SYSTEM 6180/6204 2151751324/2151754400 1344/1472 8 128 0.0 2025-10-25 03:15:49 10421 SVC:Themes C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes 1664 Window Manager\DWM-1 44696/45000 2151923448/2151925052 18564/24580 26 631 0.0 2025-10-25 03:15:49 10421 dwm "dwm.exe" 1484 NT AUTHORITY\SYSTEM 7304/7324 2151752136/2151754696 1556/1704 9 158 0.0 2025-10-25 03:15:49 10421 SVC:CertPropSvc C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc 1448 NT AUTHORITY\NETWORK SERVICE 13132/13260 2151781920/2151799336 4152/4784 17 396 0.0 2025-10-25 03:15:49 10421 SVC:NlaSvc C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc 1628 NT AUTHORITY\LOCAL SERVICE 10472/10604 2151753612/2151756684 6044/6232 30 188 0.0 2025-10-25 03:15:49 10421 SVC:nsi C:\Windows\system32\svchost.exe -k LocalService -p -s nsi 1556 NT AUTHORITY\SYSTEM 46304/49956 2151966624/2151972344 11452/18132 26 455 0.0 2025-10-25 03:15:45 10421 LogonUI "LogonUI.exe" /flags:0x2 /state0:0xa3ac7855 /state1:0x41c64e6d 2160 NT AUTHORITY\SYSTEM 13128/13228 2151767488/2151777728 2196/2520 13 185 0.0 2025-10-25 03:15:49 10421 SVC:ShellHWDetection C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection 2124 NT AUTHORITY\SYSTEM 12616/12644 2151760156/2151764252 5216/5448 12 170 0.0 2025-10-25 03:15:49 10421 SVC:AppHostSvc C:\Windows\system32\svchost.exe -k apphost -s AppHostSvc 2300 NT AUTHORITY\LOCAL SERVICE 6508/6548 2151756716/2151760812 1508/1640 8 125 0.0 2025-10-25 03:15:49 10421 SVC:CoreMessagingRegistrar C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p 2232 NT AUTHORITY\LOCAL SERVICE 7548/8776 2151783804/2151800148 1780/2512 10 141 0.0 2025-10-25 03:15:49 10421 SVC:FontCache C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache 2088 Unknown 14060/14660 2151789048/2151792160 6404/7120 13 214 0.0 2025-10-25 03:16:53 10420 SVC:WdNisSvc 1844 NT AUTHORITY\SYSTEM 8464/9724 2151758592/2151775588 1624/1888 10 151 0.0 2025-10-25 03:15:49 10421 SVC:UmRdpService C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s UmRdpService 1748 NT AUTHORITY\LOCAL SERVICE 8648/8716 2151761516/2151771748 2456/2632 11 190 0.0 2025-10-25 03:15:49 10421 SVC:EventSystem C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem 2064 NT AUTHORITY\LOCAL SERVICE 9156/9412 2151755436/2151769772 2120/3104 13 301 0.0 2025-10-25 03:15:49 10421 SVC:Wcmsvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p 1908 NT AUTHORITY\SYSTEM 8824/8952 2151755972/2151765240 1936/2252 11 179 0.0 2025-10-25 03:15:49 10421 SVC:SENS C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS 1392 NT AUTHORITY\LOCAL SERVICE 6376/6412 2151750624/2151752672 1508/1720 9 117 0.0 2025-10-25 03:15:45 10421 SVC:vmictimesync C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s vmictimesync 736 Unknown 7292/7400 2151750440/2151764400 1504/2028 12 157 0.0 2025-10-25 03:15:43 10421 wininit 656 Unknown 7188/7264 2151782436/2151785516 2420/2620 33 982 0.0 2025-10-25 03:15:42 10421 csrss 808 NT AUTHORITY\SYSTEM 10528/15256 2151812880/2151826264 2524/6508 12 214 0.0 2025-10-25 03:15:44 10421 winlogon winlogon.exe 744 Unknown 6056/6304 2151767968/2151773244 1956/2512 12 169 0.0 2025-10-25 03:15:43 10421 csrss 580 Font Driver Host\UMFD-1 4012/4056 2151747824/2151750896 1316/1416 7 39 0.0 2025-10-25 03:15:44 10421 fontdrvhost "fontdrvhost.exe" 116 Unknown 97588/209460 108740/211140 3684/145620 14 0 0.0 2025-10-25 03:15:39 10421 Registry 0 8/8 8/8 60/60 0 0 0.0 0 Idle 576 Font Driver Host\UMFD-0 4124/4164 2151748276/2151751348 1372/1476 7 39 0.0 2025-10-25 03:15:44 10421 fontdrvhost "fontdrvhost.exe" 516 Unknown 1228/1332 2151719588/2151728136 1120/1204 4 57 0.0 2025-10-25 03:15:40 10421 smss 1248 NT AUTHORITY\SYSTEM 10036/10092 2151758920/2151763964 2032/2472 12 209 0.0 2025-10-25 03:15:45 10421 SVC:NcbService C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService 1240 NT AUTHORITY\LOCAL SERVICE 12292/12372 2151762348/2151768492 1812/2224 10 177 0.0 2025-10-25 03:15:45 10421 SVC:TimeBrokerSvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc 1360 NT AUTHORITY\SYSTEM 6280/6316 2151751644/2151755740 1464/1596 9 113 0.0 2025-10-25 03:15:45 10421 SVC:vmicshutdown C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s vmicshutdown 1352 NT AUTHORITY\SYSTEM 6512/6556 2151752104/2151756200 1548/1684 9 130 0.0 2025-10-25 03:15:45 10421 SVC:vmickvpexchange C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s vmickvpexchange 1172 NT AUTHORITY\LOCAL SERVICE 6652/6684 2151754268/2151757340 1588/1824 10 140 0.0 2025-10-25 03:15:45 10421 SVC:lmhosts C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts 1052 NT AUTHORITY\SYSTEM 11116/11504 2151761424/2151777992 2620/3168 14 303 0.0 2025-10-25 03:15:45 10421 SVC:LSM C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM 1016 NT AUTHORITY\SYSTEM 25152/25380 2151800376/2151827000 7824/8796 21 989 0.0 2025-10-25 03:15:44 10421 SVC:BrokerInfrastructure/DcomLaunch/PlugPlay/Power/SystemEventsBroker C:\Windows\system32\svchost.exe -k DcomLaunch -p 1168 NT AUTHORITY\LOCAL SERVICE 8732/8792 2151756536/2151758072 2020/2156 14 236 0.0 2025-10-25 03:15:45 10421 SVC:W32Time C:\Windows\system32\svchost.exe -k LocalService -s W32Time 1120 NT AUTHORITY\NETWORK SERVICE 27588/52592 2151867344/2151910372 14360/44732 26 752 0.0 2025-10-25 03:15:45 10421 SVC:TermService C:\Windows\System32\svchost.exe -k termsvcs -s TermService 4080 NT AUTHORITY\LOCAL SERVICE 23464/23480 2152251432/2152252456 23080/23108 25 316 0.0 2025-10-25 03:15:50 10421 SVC:WMSVC C:\Windows\system32\inetsrv\wmsvc.exe 3912 NT AUTHORITY\SYSTEM 6060/6096 2151746792/2151750888 1332/1504 8 134 0.0 2025-10-25 03:15:49 10421 SVC:TrkWks C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks 4272 NT AUTHORITY\SYSTEM 16412/16564 2151780968/2151786612 4992/5392 17 324 0.0 2025-10-25 03:19:02 10417 rhs C:\Windows\Cluster\rhs.exe -key SYSTEM\CurrentControlSet\Services\ClusSvc\Parameters\Rhs\05f584dd-097b-4d27-87c6-f7e4d2139ec6 -parentPid 4648 -initEvent 3236c9b5-771f-47a0-99e4-eb35381a6983 -replyEndpoint LRPC-53caccf56a051a464b 4120 NT AUTHORITY\SYSTEM 12076/12220 2151758680/2151766872 1616/1968 9 137 0.0 2025-10-25 03:15:50 10421 SVC:WpnService C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService 3900 NT AUTHORITY\LOCAL SERVICE 179376/977336 5378592/6224540 554512/1374312 289 551 0.0 2025-10-25 03:17:05 10419 scanningprocess "C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe" -Embedding 3828 NT AUTHORITY\SYSTEM 36836/36916 4901364/4913288 47880/48060 28 781 0.0 2025-10-25 03:15:49 10421 SVC:MSExchangeHMRecovery "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe" 3756 NT AUTHORITY\SYSTEM 16796/17300 4282816/4299024 9296/9640 13 240 0.0 2025-10-25 03:15:49 10421 SVC:SearchExchangeTracing "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe" 3892 NT AUTHORITY\SYSTEM 7140/7184 2155944800/2155952992 1780/1976 9 143 0.0 2025-10-25 03:15:49 10421 SVC:SysMain C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain 3880 NT AUTHORITY\SYSTEM 5728/5748 2151747544/2151749592 1280/1376 8 105 0.0 2025-10-25 03:15:49 10421 SVC:sacsvr C:\Windows\System32\svchost.exe -k netsvcs -p -s sacsvr 5724 NT AUTHORITY\SYSTEM 255332/286236 2153054460/2153063392 281660/312204 129 1529 0.0 2025-10-25 03:20:58 10416 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeRestAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipm9ab2d935-1be5-4a02-8c2c-81e29216fba0 -h "C:\inetpub\temp\apppools\MSExchangeRestAppPool\MSExchangeRestAppPool.config" -w "" -m 0 5624 NT AUTHORITY\NETWORK SERVICE 17784/17804 4782280/4787656 24964/25208 14 262 0.0 2025-10-25 03:15:51 10421 SVC:NetMsmqActivator "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator 5972 NT AUTHORITY\SYSTEM 185356/191104 2152802816/2152860660 200052/210068 87 1842 0.0 2025-10-25 03:15:52 10421 w3wp c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeOABAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipm0f42cc76-70c7-4c2d-825f-32bb24fff634 -h "C:\inetpub\temp\apppools\MSExchangeOABAppPool\MSExchangeOABAppPool.config" -w "" -m 0 5832 NT AUTHORITY\NETWORK SERVICE 192624/195908 5259264/5415736 190352/196836 79 1211 0.0 2025-10-25 03:15:55 10421 SVC:MSExchangeDelivery "C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe" 5324 NT AUTHORITY\NETWORK SERVICE 8008/9516 2151752776/2151756872 2224/3400 11 167 0.0 2025-10-25 03:15:51 10421 SVC:PolicyAgent C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent 4504 NT AUTHORITY\SYSTEM 13496/13536 2151775828/2151781484 3464/3796 24 432 0.0 2025-10-25 03:15:50 10421 SVC:RasMan C:\Windows\System32\svchost.exe -k netsvcs 4468 NT AUTHORITY\SYSTEM 15424/18724 2152339480/2152360108 8316/11760 21 280 0.0 2025-10-25 03:19:14 10417 SVC:UALSVC C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s UALSVC 4856 NT AUTHORITY\SYSTEM 153864/154516 5211812/5224356 158480/159084 92 1958 0.0 2025-10-25 03:15:50 10421 SVC:MSExchangeADTopology "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe" 4604 NT AUTHORITY\SYSTEM 6412/18404 2151738804/2151751056 1844/2756 7 87 0.0 2025-10-25 03:15:51 10421 AggregatorHost AggregatorHost.exe 3640 NT AUTHORITY\LOCAL SERVICE 7396/7416 2151751820/2151755916 1644/1744 9 158 0.0 2025-10-25 03:15:49 10421 SVC:pla C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s pla 2756 NT AUTHORITY\SYSTEM 9464/9804 2151757428/2151775184 2392/3036 10 202 0.0 2025-10-25 03:15:49 10421 SVC:UserManager C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager 2748 NT AUTHORITY\SYSTEM 94276/97548 5226580/5239316 68800/70088 66 918 0.0 2025-10-25 03:15:49 10421 SVC:HostControllerService "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe" 2876 NT AUTHORITY\LOCAL SERVICE 7400/7508 2151748124/2151757340 1436/1816 9 123 0.0 2025-10-25 03:15:49 10421 SVC:DispBrokerDesktopSvc C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc 2788 NT AUTHORITY\SYSTEM 42920/72400 2151877496/2151889464 23092/53160 30 626 0.0 2025-10-25 03:15:49 10421 SVC:DiagTrack C:\Windows\System32\svchost.exe -k utcsvc -p 2512 NT AUTHORITY\LOCAL SERVICE 11368/11532 2151767736/2151786984 3192/3716 15 429 0.0 2025-10-25 03:15:49 10421 SVC:netprofm C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm 2400 NT AUTHORITY\LOCAL SERVICE 8276/8428 2151752644/2151759524 2292/2648 10 182 0.0 2025-10-25 03:15:49 10421 SVC:WinHttpAutoProxySvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc 2352 NT AUTHORITY\LOCAL SERVICE 23564/26612 2151800440/2151823864 13700/16180 34 456 0.0 2025-10-25 03:15:49 10421 SVC:BFE/mpssvc C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p 2504 NT AUTHORITY\NETWORK SERVICE 14972/16468 2152044760/2152053640 4380/5964 28 310 0.0 2025-10-25 03:15:49 10421 SVC:CryptSvc C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc 2496 NT AUTHORITY\SYSTEM 10424/10460 2151765436/2151775300 2392/2568 17 245 0.0 2025-10-25 03:15:49 10421 SVC:SessionEnv C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv 3580 NT AUTHORITY\SYSTEM 16100/16156 2151780032/2151780544 8828/9260 19 372 0.0 2025-10-25 03:15:49 10421 SVC:W3SVC/WAS C:\Windows\system32\svchost.exe -k iissvcs 3556 NT AUTHORITY\SYSTEM 9324/9396 2151752824/2151755404 2356/2536 11 206 0.0 2025-10-25 03:15:49 10421 SVC:LanmanServer C:\Windows\System32\svchost.exe -k smbsvcs -s LanmanServer 3632 NT AUTHORITY\LOCAL SERVICE 7632/7660 2151755464/2151761612 1752/1988 43 159 0.0 2025-10-25 03:15:49 10421 SVC:SstpSvc C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc 3588 NT AUTHORITY\NETWORK SERVICE 15152/15200 2151802324/2151805396 5872/6360 32 392 0.0 2025-10-25 03:15:49 10421 SVC:MSMQ C:\Windows\system32\mqsvc.exe 3496 NT AUTHORITY\LOCAL SERVICE 38680/38840 4799112/4804044 34632/34868 34 811 0.0 2025-10-25 03:15:49 10421 SVC:NetPipeActivator/NetTcpActivator/NetTcpPortSharing C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe 3080 NT AUTHORITY\SYSTEM 10516/10612 2152812876/2152829044 2636/3480 15 354 0.0 2025-10-25 03:15:49 10421 SVC:iphlpsvc C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc 3064 NT AUTHORITY\SYSTEM 27312/29228 2151842604/2151860992 8864/12096 28 524 0.0 2025-10-25 03:15:49 10421 SVC:Spooler C:\Windows\System32\spoolsv.exe 3484 Unknown 29796/30504 2151811868/2151818020 16288/16980 20 1054 0.0 2025-10-25 03:15:49 10421 SVC:MDCoreSvc 3140 NT AUTHORITY\SYSTEM 30444/30644 2151793208/2151798856 20004/20300 18 224 0.0 2025-10-25 03:15:49 10421 SVC:IISADMIN C:\Windows\system32\inetsrv\inetinfo.exe [netstat] PacketsReceived=23812248 ReceivedHeaderErrors=0 ReceivedAddressErrors=34 DatagramsForwarded=0 UnknownProtocolsReceived=0 ReceivedPacketsDiscarded=641 ReceivedPacketsDelivered=23814553 OutputRequests=28761666 RoutingDiscards=0 DiscardedOutputPackets=3 OutputPacketNoRoute=3 ReassemblyRequired=0 ReassemblySuccessful=0 ReassemblyFailures=0 DatagramsSuccessfullyFragmented=0 DatagramsFailingFragmentation=0 FragmentsCreated=0 PacketsReceived=292427 ReceivedHeaderErrors=0 ReceivedAddressErrors=104 DatagramsForwarded=0 UnknownProtocolsReceived=0 ReceivedPacketsDiscarded=13 ReceivedPacketsDelivered=292529 OutputRequests=263798 RoutingDiscards=0 DiscardedOutputPackets=0 OutputPacketNoRoute=0 ReassemblyRequired=0 ReassemblySuccessful=0 ReassemblyFailures=0 DatagramsSuccessfullyFragmented=0 DatagramsFailingFragmentation=0 FragmentsCreated=0 tcpActiveOpens=753161 tcpPassiveOpens=1954059 tcpFailedConnectionAttempts=1255520 tcpResetConnections=127390 tcpCurrentConnections=126 tcpSegmentsReceived=27984629 tcpSegmentsSent=32926543 tcpSegmentsRetransmitted=89078 tcpActiveOpens=186303 tcpPassiveOpens=186297 tcpFailedConnectionAttempts=24743 tcpResetConnections=188507 tcpCurrentConnections=152 tcpSegmentsReceived=9558754 tcpSegmentsSent=9465758 tcpSegmentsRetransmitted=20 udpDatagramsReceived=1597634 udpNoPorts=641 udpReceiveErrors=0 udpDatagramsSent=1567943 udpDatagramsReceived=93 udpNoPorts=13 udpReceiveErrors=0 udpDatagramsSent=244 [ipconfig] Windows IP Configuration Host Name . . . . . . . . . . . . : Az-mbox2 Primary Dns Suffix . . . . . . . : ceda.unina2.it Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : ceda.unina2.it reddog.microsoft.com Ethernet adapter Ethernet 3: Connection-specific DNS Suffix . : reddog.microsoft.com Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2 Physical Address. . . . . . . . . : 00-22-48-81-F3-FC DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::6e0b:13d7:72ec:4952%11(Preferred) IPv4 Address. . . . . . . . . . . : 10.124.129.7(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Saturday, October 25, 2025 2:15:49 AM Lease Expires . . . . . . . . . . : Tuesday, December 8, 2161 3:25:01 PM Default Gateway . . . . . . . . . : 10.124.129.1 DHCP Server . . . . . . . . . . . : 168.63.129.16 DHCPv6 IAID . . . . . . . . . . . : 134226504 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-CD-EC-AA-00-22-48-88-8D-7D DNS Servers . . . . . . . . . . . : 10.124.1.4 10.124.1.5 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter Local Area Connection* 10: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Failover Cluster Virtual Adapter Physical Address. . . . . . . . . : 02-E0-7A-2C-69-56 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::9107:86a8:1716:79d5%18(Preferred) IPv4 Address. . . . . . . . . . . : 169.254.2.120(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : 302135671 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-CD-EC-AA-00-22-48-88-8D-7D NetBIOS over Tcpip. . . . . . . . : Enabled [route] =========================================================================== Interface List 11...00 22 48 81 f3 fc ......Microsoft Hyper-V Network Adapter #2 18...02 e0 7a 2c 69 56 ......Microsoft Failover Cluster Virtual Adapter 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.124.129.1 10.124.129.7 10 10.124.129.0 255.255.255.0 On-link 10.124.129.7 266 10.124.129.7 255.255.255.255 On-link 10.124.129.7 266 10.124.129.255 255.255.255.255 On-link 10.124.129.7 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 168.63.129.16 255.255.255.255 10.124.129.1 10.124.129.7 11 169.254.0.0 255.255.0.0 On-link 169.254.2.120 271 169.254.2.120 255.255.255.255 On-link 169.254.2.120 271 169.254.169.254 255.255.255.255 10.124.129.1 10.124.129.7 11 169.254.255.255 255.255.255.255 On-link 169.254.2.120 271 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 10.124.129.7 266 224.0.0.0 240.0.0.0 On-link 169.254.2.120 271 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 10.124.129.7 266 255.255.255.255 255.255.255.255 On-link 169.254.2.120 271 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 331 ::1/128 On-link 11 266 fe80::/64 On-link 18 271 fe80::/64 On-link 11 266 fe80::6e0b:13d7:72ec:4952/128 On-link 18 271 fe80::9107:86a8:1716:79d5/128 On-link 1 331 ff00::/8 On-link 11 266 ff00::/8 On-link 18 271 ff00::/8 On-link =========================================================================== Persistent Routes: None [ifstat] 10.124.129.7 31624163297 21159781709 169.254.2.120 42206479 47213182 [svcs] Name StartupType Status DisplayName AJRouter manual stopped AllJoyn Router Service ALG manual stopped Application Layer Gateway Service AppHostSvc automatic started Application Host Helper Service AppIDSvc manual stopped Application Identity Appinfo manual started Application Information AppMgmt manual stopped Application Management AppReadiness manual stopped App Readiness AppVClient disabled stopped Microsoft App-V Client AppXSvc manual stopped AppX Deployment Service (AppXSVC) aspnet_state manual stopped ASP.NET State Service AudioEndpointBuilder manual stopped Windows Audio Endpoint Builder Audiosrv manual stopped Windows Audio AxInstSV disabled stopped ActiveX Installer (AxInstSV) BDESVC manual stopped BitLocker Drive Encryption Service BFE automatic started Base Filtering Engine BITS manual stopped Background Intelligent Transfer Service BrokerInfrastructure automatic started Background Tasks Infrastructure Service bthserv manual stopped Bluetooth Support Service c2wts manual stopped Claims to Windows Token Service camsvc manual stopped Capability Access Manager Service CDPSvc automatic started Connected Devices Platform Service CertPropSvc manual started Certificate Propagation ClipSVC manual stopped Client License Service (ClipSVC) ClusSvc automatic started Cluster Service COMSysApp manual stopped COM+ System Application CoreMessagingRegistrar automatic started CoreMessaging CPrepSrv manual stopped CPrepSrv CryptSvc automatic started Cryptographic Services CscService disabled stopped Offline Files DcomLaunch automatic started DCOM Server Process Launcher dcsvc manual stopped Declared Configuration(DC) service defragsvc manual stopped Optimize drives DeviceAssociationService manual stopped Device Association Service DeviceInstall manual stopped Device Install Service DevQueryBroker manual stopped DevQuery Background Discovery Broker Dhcp automatic started DHCP Client diagnosticshub.standardcollector.service manual stopped Microsoft (R) Diagnostics Hub Standard Collector Service DiagTrack automatic started Connected User Experiences and Telemetry DispBrokerDesktopSvc automatic started Display Policy Service DmEnrollmentSvc manual stopped Device Management Enrollment Service dmwappushservice disabled stopped Device Management Wireless Application Protocol (WAP) Push message Routing Service Dnscache automatic started DNS Client DoSvc manual stopped Delivery Optimization dot3svc manual stopped Wired AutoConfig DPS automatic started Diagnostic Policy Service DsmSvc manual stopped Device Setup Manager DsSvc manual started Data Sharing Service EapHost manual stopped Extensible Authentication Protocol edgeupdate automatic stopped Microsoft Edge Update Service (edgeupdate) edgeupdatem manual stopped Microsoft Edge Update Service (edgeupdatem) EFS manual stopped Encrypting File System (EFS) embeddedmode manual stopped Embedded Mode EntAppSvc manual stopped Enterprise App Management Service EventLog automatic started Windows Event Log EventSystem automatic started COM+ Event System FcSrv manual stopped FcSrv fdPHost manual stopped Function Discovery Provider Host FDResPub manual stopped Function Discovery Resource Publication FMS automatic started Microsoft Filtering Management Service FontCache automatic started Windows Font Cache Service FrameServer manual stopped Windows Camera Frame Server FrameServerMonitor manual stopped Windows Camera Frame Server Monitor gpsvc automatic started Group Policy Client GraphicsPerfSvc disabled stopped GraphicsPerfSvc hidserv manual stopped Human Interface Device Service HostControllerService automatic started Microsoft Exchange Search Host Controller HvHost manual stopped HV Host Service IISADMIN automatic started IIS Admin Service IKEEXT manual stopped IKE and AuthIP IPsec Keying Modules InstallService manual stopped Microsoft Store Install Service iphlpsvc automatic started IP Helper KeyIso manual started CNG Key Isolation KPSSVC manual stopped KDC Proxy Server service (KPS) KtmRm manual stopped KtmRm for Distributed Transaction Coordinator LanmanServer automatic started Server LanmanWorkstation automatic started Workstation lfsvc disabled stopped Geolocation Service LicenseManager manual stopped Windows License Manager Service lltdsvc disabled stopped Link-Layer Topology Discovery Mapper lmhosts manual started TCP/IP NetBIOS Helper LSM automatic started Local Session Manager MapsBroker disabled stopped Downloaded Maps Manager McpManagementService manual stopped McpManagementService MDCoreSvc automatic started Microsoft Defender Core Service MicrosoftEdgeElevationService manual stopped Microsoft Edge Elevation Service (MicrosoftEdgeElevationService) mpssvc automatic started Windows Defender Firewall MSComplianceAudit automatic started Microsoft Exchange Compliance Audit MSDTC automatic started Distributed Transaction Coordinator MSExchangeADTopology automatic started Microsoft Exchange Active Directory Topology MSExchangeAntispamUpdate automatic started Microsoft Exchange Anti-spam Update MSExchangeCompliance automatic started Microsoft Exchange Compliance Service MSExchangeDagMgmt automatic started Microsoft Exchange DAG Management MSExchangeDelivery automatic started Microsoft Exchange Mailbox Transport Delivery MSExchangeDiagnostics automatic started Microsoft Exchange Diagnostics MSExchangeEdgeSync automatic started Microsoft Exchange EdgeSync MSExchangeFastSearch automatic started Microsoft Exchange Search MSExchangeFlighting automatic started Microsoft Exchange Flighting Service MSExchangeFrontEndTransport automatic started Microsoft Exchange Frontend Transport MSExchangeHM automatic started Microsoft Exchange Health Manager MSExchangeHMRecovery automatic started Microsoft Exchange Health Manager Recovery MSExchangeImap4 automatic started Microsoft Exchange IMAP4 MSExchangeIMAP4BE automatic started Microsoft Exchange IMAP4 Backend MSExchangeIS automatic started Microsoft Exchange Information Store MSExchangeMailboxAssistants automatic started Microsoft Exchange Mailbox Assistants MSExchangeMailboxReplication automatic started Microsoft Exchange Mailbox Replication MSExchangeMitigation automatic started Microsoft Exchange Emergency Mitigation Service MSExchangePop3 automatic started Microsoft Exchange POP3 MSExchangePOP3BE automatic started Microsoft Exchange POP3 Backend MSExchangeRepl automatic started Microsoft Exchange Replication MSExchangeRPC automatic started Microsoft Exchange RPC Client Access MSExchangeServiceHost automatic started Microsoft Exchange Service Host MSExchangeSubmission automatic started Microsoft Exchange Mailbox Transport Submission MSExchangeThrottling automatic started Microsoft Exchange Throttling MSExchangeTransport automatic started Microsoft Exchange Transport MSExchangeTransportLogSearch automatic started Microsoft Exchange Transport Log Search MSiSCSI manual stopped Microsoft iSCSI Initiator Service msiserver manual stopped Windows Installer MSMQ automatic started Message Queuing NcaSvc disabled stopped Network Connectivity Assistant NcbService manual started Network Connection Broker Netlogon automatic started Netlogon Netman manual stopped Network Connections NetMsmqActivator automatic started Net.Msmq Listener Adapter NetPipeActivator automatic started Net.Pipe Listener Adapter netprofm manual started Network List Service NetSetupSvc manual stopped Network Setup Service NetTcpActivator automatic started Net.Tcp Listener Adapter NetTcpPortSharing automatic started Net.Tcp Port Sharing Service NgcCtnrSvc manual stopped Microsoft Passport Container NgcSvc manual stopped Microsoft Passport NlaSvc automatic started Network Location Awareness nsi automatic started Network Store Interface Service PcaSvc automatic started Program Compatibility Assistant Service PerfHost manual stopped Performance Counter DLL Host pla automatic started Performance Logs & Alerts PlugPlay manual started Plug and Play PolicyAgent manual started IPsec Policy Agent Power automatic started Power PrintNotify manual stopped Printer Extensions and Notifications ProfSvc automatic started User Profile Service PushToInstall disabled stopped Windows PushToInstall Service QWAVE manual stopped Quality Windows Audio Video Experience RasAuto manual stopped Remote Access Auto Connection Manager RasMan automatic started Remote Access Connection Manager RdAgent automatic started RdAgent RemoteAccess disabled stopped Routing and Remote Access RemoteRegistry automatic stopped Remote Registry RmSvc disabled stopped Radio Management Service RpcEptMapper automatic started RPC Endpoint Mapper RPCHTTPLBS manual stopped RPC/HTTP Load Balancing Service RpcLocator manual stopped Remote Procedure Call (RPC) Locator RpcSs automatic started Remote Procedure Call (RPC) RSoPProv manual stopped Resultant Set of Policy Provider sacsvr manual started Special Administration Console Helper SamSs automatic started Security Accounts Manager SCardSvr manual stopped Smart Card ScDeviceEnum disabled stopped Smart Card Device Enumeration Service Schedule automatic started Task Scheduler SCPolicySvc manual stopped Smart Card Removal Policy SearchExchangeTracing automatic started Tracing Service for Search in Exchange seclogon manual stopped Secondary Logon SecurityHealthService manual started Windows Security Service SEMgrSvc disabled stopped Payments and NFC/SE Manager SENS automatic started System Event Notification Service Sense manual stopped Windows Defender Advanced Threat Protection Service SensorDataService disabled stopped Sensor Data Service SensorService manual stopped Sensor Service SensrSvc manual stopped Sensor Monitoring Service SessionEnv manual started Remote Desktop Configuration SharedAccess disabled stopped Internet Connection Sharing (ICS) ShellHWDetection automatic started Shell Hardware Detection shpamsvc disabled stopped Shared PC Account Manager SmbWitness manual stopped SMB Witness smphost manual stopped Microsoft Storage Spaces SMP SNMPTRAP manual stopped SNMP Trap Spooler automatic started Print Spooler sppsvc automatic stopped Software Protection SSDPSRV disabled stopped SSDP Discovery ssh-agent disabled stopped OpenSSH Authentication Agent SstpSvc manual started Secure Socket Tunneling Protocol Service StateRepository automatic started State Repository Service StiSvc manual stopped Windows Image Acquisition (WIA) StorSvc automatic started Storage Service svsvc manual stopped Spot Verifier swprv manual stopped Microsoft Software Shadow Copy Provider SysMain automatic started SysMain SystemEventsBroker automatic started System Events Broker TabletInputService manual started Touch Keyboard and Handwriting Panel Service tapisrv manual stopped Telephony TargetMgr disabled stopped Target Manager TermService manual started Remote Desktop Services Themes automatic started Themes TieringEngineService manual stopped Storage Tiers Management TimeBrokerSvc manual started Time Broker TokenBroker manual started Web Account Manager TrkWks automatic started Distributed Link Tracking Client TrustedInstaller manual stopped Windows Modules Installer tzautoupdate disabled stopped Auto Time Zone Updater UALSVC automatic started User Access Logging Service UevAgentService disabled stopped User Experience Virtualization Service UmRdpService manual started Remote Desktop Services UserMode Port Redirector upnphost disabled stopped UPnP Device Host UserManager automatic started User Manager UsoSvc automatic started Update Orchestrator Service VaultSvc manual stopped Credential Manager vds manual stopped Virtual Disk vmicguestinterface manual stopped Hyper-V Guest Service Interface vmicheartbeat manual started Hyper-V Heartbeat Service vmickvpexchange manual started Hyper-V Data Exchange Service vmicshutdown manual started Hyper-V Guest Shutdown Service vmictimesync manual started Hyper-V Time Synchronization Service vmicvmsession manual stopped Hyper-V PowerShell Direct Service vmicvss manual stopped Hyper-V Volume Shadow Copy Requestor VSS manual stopped Volume Shadow Copy W32Time automatic started Windows Time w3logsvc manual stopped W3C Logging Service W3SVC automatic started World Wide Web Publishing Service WaaSMedicSvc manual stopped Windows Update Medic Service WalletService disabled stopped WalletService WarpJITSvc manual stopped Warp JIT Service WAS manual started Windows Process Activation Service WbioSrvc manual stopped Windows Biometric Service Wcmsvc automatic started Windows Connection Manager WdiServiceHost manual started Diagnostic Service Host WdiSystemHost manual stopped Diagnostic System Host WdNisSvc manual started Microsoft Defender Antivirus Network Inspection Service Wecsvc manual stopped Windows Event Collector WEPHOSTSVC manual stopped Windows Encryption Provider Host Service wercplsupport manual stopped Problem Reports Control Panel Support WerSvc manual stopped Windows Error Reporting Service WiaRpc manual stopped Still Image Acquisition Events WinDefend automatic started Microsoft Defender Antivirus Service WindowsAzureGuestAgent automatic started Windows Azure Guest Agent WinHttpAutoProxySvc manual started WinHTTP Web Proxy Auto-Discovery Service Winmgmt automatic started Windows Management Instrumentation WinRM automatic started Windows Remote Management (WS-Management) wisvc disabled stopped Windows Insider Service wlidsvc manual stopped Microsoft Account Sign-in Assistant wmiApSrv manual stopped WMI Performance Adapter WMPNetworkSvc manual stopped Windows Media Player Network Sharing Service WMSVC automatic started Web Management Service WPDBusEnum manual stopped Portable Device Enumerator Service WpnService automatic started Windows Push Notifications System Service wsbexchange manual stopped Microsoft Exchange Server Extension for Windows Server Backup WSearch disabled stopped Windows Search wuauserv manual started Windows Update XymonPSClient automatic started XymonPSClient [uptime] sec: 625247 7 days 5 hours 40 minutes 47 seconds Bootup: 20251025031543.498944+120 [who] SESSIONNAME USERNAME ID STATE TYPE DEVICE >services 0 Disc console 1 Conn 31c5ce94259d4... 65536 Listen rdp-tcp 65537 Listen Total sessions created: 3 Total sessions disconnected: 1 Total sessions reconnected: 0 [users] [iis_sites] Default Web Site IIS://localhost/W3SVC/1 SiteID: 1 LogFileDirectory C:\inetpub\logs\LogFiles ServerAutoStart True ServerBindings :80: 127.0.0.1:80: ServerState 2 SecureBindings 127.0.0.1:443: :443: Exchange Back End IIS://localhost/W3SVC/2 SiteID: 2 LogFileDirectory C:\inetpub\logs\LogFiles ServerAutoStart True ServerBindings :81: ServerState 2 SecureBindings :444: [XymonConfig] XymonSettings serversList : 10.224.4.197 serverUrl : serverHttpUsername : serverHttpTimeoutMs : 100000 wanteddisksList : {3} clientname : az-mbox2.ceda.unina2.it clientsoftware : powershell clientclass : powershell loopinterval : 300 maxlogage : 60 MaxEvents : 5000 slowscanrate : 72 reportevt : 1 EnableWin32_Product : 0 EnableWin32_QuickFixEngineering : 0 EnableWMISections : 0 EnableIISSection : 1 EnableDiskPart : 0 ClientProcessPriority : Normal clientlogpath : C:\Program Files\xymon clientlogretain : 0 XymonAcceptUTF8 : 0 GetProcessInfoCommandLine : 1 GetProcessInfoOwner : 1 externalscriptlocation : C:\Program Files\xymon\ext externaldatalocation : C:\Program Files\xymon\tmp localdatalocation : C:\Program Files\xymon\local servergiflocation : /xymon/gifs/ servers : 10.224.4.197 clientlogfile : C:\Program Files\xymon\xymonclient.log clientconfigfile : C:\Program Files\xymon\clientconfig.cfg clientfqdn : 1 clientlower : 1 clientbbwinmembug : 0 clientremotecfgexec : 1 HaveCmd Name Value ---- ----- qwinsta True query True XymonClientVersion : xymonclient.ps1 2.42 2019-03-11 zak.beck@accenture.com clientname az-mbox2.ceda.unina2.it [XymonPSClientInfo] Collection number: 85 Last transmission method: TCP Id : 13496 Handles : 561 CPU : 521.46875 SI : 0 Name : powershell