«

»

Feb 15 2016

HOWTO: Determine what wmiprvse.exe is actually doing (aka Troubleshoot WMI)

This HOWTO came about after watching the excellent video series on using Process Explorer available here:

Case of the Unexplained: Troubleshooting with Mark Russinovich

In this video, he talks about a case where wmiprvse.exe was causing Bluray video playback to stutter. 
If you have worked in IT for any length of time, you’ve probably seen this executable come up during your troubleshooting.  It’s the "WMI provider host".
I’ve known that for a while but what happens inside this process has always been a black box for me… until now that is.

If you ever run into an issue where wmiprvse.exe is misbehaving, follow these simple troubleshooting steps:

1) Launch Event Viewer, go to View and enable Show Analytic and Debug Logs
image

2) In the Event Viewer pane, select Application and Services Logs / Microsoft / Windows (scroll way down near the end) and select WMI-Activity

image

image

3) Right click on WMI-Activity and choose Enable Log.  This enables a comprehensive debug log of all WMI activity taking place on your system (aka what’s happening inside wmiprvse.exe.

image

4) For demonstration purposes, let’s trigger a WMI event.  Open a PowerShell prompt and type Get-WMIObject Win32_BIOS and press enter:

image

5) Imagine for a moment that this process was broken and running this command hundreds of times per second slowing down your machine.  But it was running in the background or perhaps as another user. 
How would you ever possibly figure that out?

6) Go back to your Event Viewer, right click on WMI-Activity and choose Disable Log.  This will make the data collected while the debug log was enabled now visible.

image

7) Look for an event ID 11.  Here we see all the information we need to troubleshoot this issue, specifically:

1) The exact WMI query that was executed against the WMI subsystem
2) The computer account that executed the query
3) The username that executed the query
4) Perhaps most importantly, the process ID that sent the query

image

8) Lastly, open Process Explorer and sort your data by PID.  In this case, the Event Viewer tells us that the problem query came from process ID 72368.  What process is that?

image

Busted!  That’s pretty awesome if you ask me.  It makes me wonder what other trace logs are available in the Event Viewer that could help me in future troubleshooting endeavors. 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">