Many instances of Event 5858 from WMI-Activity are appearing in the Microsoft-Windows-WMI-Activity/Operational log.

An example of the event message text is "Id = {BA4361BF-423A-0001-1284-43BA3A42CD01}; ClientMachine = SERVER1; User = SERVER\bnf1; ClientProcessId = 928; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem; ResultCode = 0x80041032; PossibleCause = Unknown

Is there a solution or a workaround?

Thanks.

Hi,

Thank you for your post.

This is a quick note to let you know that we are performing research on this issue.

Thank you!

Thank you!

Any progress?

It is the same here, only I discover that after this string of messges on two (of my 12) servers, some services that were stopped automagically shortly before, are not restarted.

This is more than an annoyance, because these services (VMware tools service on one server and all Veeam Backup and Replicatation services on the other) are pretty important.

Jan

These events continue in Windows Server 2012 RTM.  There are a couple of different sources of this event, as detailed below.

1.  A group of about 15 instances occurs during Windows Setup, is associated with the operation WbemServices::CreateInstanceEnum, and fails with a result code of 0x8004100A (WBEM_E_CRITICAL_ERROR).  The WMI Error Constants web page says "Report the error to Microsoft Technical Support".

2.  Another group is associated with the operation WbemServices::ExecQuery, and fails with a result code of 0x80041032 (WBEM_E_CALL_CANCELLED).

3.  The most common group, which occurs when Group Policy is applied, is associated with the operation WbemServices::DeleteInstance, and fails with a result code of 0x80041002 (WBEM_E_NOT_FOUND).  This group references Group Policy Preferences, which are not available in non domain-joined computers, and in the case of domain-joined computers, occurs for all such objects that are not defined.  For example, when a preference is definded for User Configuration > Preferences > Control Panel Settings > Start Menu, and gpupdate /force is run, the count of event 5858 will be reduced by 1, because this prefrence has been defined.

Any update on this? I have the exact same issue when trying to start Direct Access on Server 2012, even before the configuration.

Hello

fresh installation of Windows 2012 Standard generates these WMI-Activity 5858 events to log:

Error 12. 12. 2012 17:48:34 Microsoft-Windows-WMI-Activity 5858 None Id = {356CD90E-D888-0001-27D9-6C3588D8CD01}; ClientMachine = WIN-23RS9SG3UCE; User = NT AUTHORITY\SYSTEM; ClientProcessId = 1092; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystemProduct; ResultCode = 0x80041032; PossibleCause = Unknown

Error 12. 12. 2012 17:41:18
Microsoft-Windows-WMI-Activity 5858 None Id = {5BE6862E-D885-0000-5F86-E65B85D8CD01}; ClientMachine = WIN-23RS9SG3UCE; User = WIN-23RS9SG3UCE\Administrator; ClientProcessId = 2080; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem; ResultCode = 0x80041032; PossibleCause = Unknown

Error 12. 12. 2012 17:39:18 Microsoft-Windows-WMI-Activity 5858 None Id = {5BE6862E-D885-0000-6186-E65B85D8CD01}; ClientMachine = WIN-23RS9SG3UCE; User = WIN-23RS9SG3UCE\Administrator; ClientProcessId = 2080; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem; ResultCode = 0x80041032; PossibleCause = Unknown

Error 12. 12. 2012 17:37:18 Microsoft-Windows-WMI-Activity 5858 None Id = {5BE6862E-D885-0000-5F86-E65B85D8CD01}; ClientMachine = WIN-23RS9SG3UCE; User = WIN-23RS9SG3UCE\Administrator; ClientProcessId = 2080; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem; ResultCode = 0x80041032; PossibleCause = Unknown

None of the mentioned Id couldn't I find in the system registry.

Thank you in advance for any idea how to solve these errors.

• Edited by Jiri Huml Thursday, December 13, 2012 10:08 AM

Hello

fresh installation of Windows 2012 Standard generates these WMI-Activity 5858 events to log:

Error 12. 12. 2012 17:48:34 Microsoft-Windows-WMI-Activity 5858 None Id = {356CD90E-D888-0001-27D9-6C3588D8CD01}; ClientMachine = WIN-23RS9SG3UCE; User = NT AUTHORITY\SYSTEM; ClientProcessId = 1092; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystemProduct; ResultCode = 0x80041032; PossibleCause = Unknown

Error 12. 12. 2012 17:41:18
Microsoft-Windows-WMI-Activity 5858 None Id = {5BE6862E-D885-0000-5F86-E65B85D8CD01}; ClientMachine = WIN-23RS9SG3UCE; User = WIN-23RS9SG3UCE\Administrator; ClientProcessId = 2080; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem; ResultCode = 0x80041032; PossibleCause = Unknown

Error 12. 12. 2012 17:39:18 Microsoft-Windows-WMI-Activity 5858 None Id = {5BE6862E-D885-0000-6186-E65B85D8CD01}; ClientMachine = WIN-23RS9SG3UCE; User = WIN-23RS9SG3UCE\Administrator; ClientProcessId = 2080; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem; ResultCode = 0x80041032; PossibleCause = Unknown

Error 12. 12. 2012 17:37:18 Microsoft-Windows-WMI-Activity 5858 None Id = {5BE6862E-D885-0000-5F86-E65B85D8CD01}; ClientMachine = WIN-23RS9SG3UCE; User = WIN-23RS9SG3UCE\Administrator; ClientProcessId = 2080; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem; ResultCode = 0x80041032; PossibleCause = Unknown

None of the mentioned Id couldn't I find in the system registry.

Thank you in advance for any idea how to solve these errors.

• Edited by Jiri Huml Thursday, December 13, 2012 10:08 AM

I have same prolem on Exchange 2010 SP1 server.

Log Name:      Microsoft-Windows-WMI-Activity/Operational
Source:        Microsoft-Windows-WMI-Activity
Date:          12/21/2012 8:38:11 PM
Event ID:      5858
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      Exchange10-1.practice.com
Description:
Id = {5DBAD974-6927-44C5-AF34-578E94F65775}; ClientMachine = EXCHANGE10-1; User = ; ClientProcessId = 772; Component = Unknown; Operation = Start IWbemServices::DeleteInstance - Root\Rsop\User\S_1_5_21_345497259_281931215_3209510912_500 : RSOP_ExtensionStatus.extensionGuid="{FB2CA36D-0B40-4307-821B-A13B252DE56C}"; ResultCode = 0x80041002; PossibleCause = Unknown
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
    <EventID>5858</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2012-12-22T03:38:11.117070900Z" />
    <EventRecordID>169</EventRecordID>
    <Correlation />
    <Execution ProcessID="772" ThreadID="4868" />
    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
    <Computer>Exchange10-1.practice.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <Operation_ClientFailure xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
      <Id>{5DBAD974-6927-44C5-AF34-578E94F65775}</Id>
      <ClientMachine>EXCHANGE10-1</ClientMachine>
      <User>
      </User>
      <ClientProcessId>772</ClientProcessId>
      <Component>Unknown</Component>
      <Operation>Start IWbemServices::DeleteInstance - Root\Rsop\User\S_1_5_21_345497259_281931215_3209510912_500 : RSOP_ExtensionStatus.extensionGuid="{FB2CA36D-0B40-4307-821B-A13B252DE56C}"</Operation>
      <ResultCode>0x80041002</ResultCode>
      <PossibleCause>Unknown</PossibleCause>
    </Operation_ClientFailure>
  </UserData>
</Event>

Hi!

Is there any update about this problem?

I have the same problem:

Microsoft-Windows-WMI-Activity	5858	2013.01.08. 3:25:25	393
Esemny rszletei:    Id = {00000001-0000-0003-C9AE-1D194AE0CD01}; ClientMachine = SBS; User = NT AUTHORITY\SYSTEM; ClientProcessId = 11352; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_OperatingSystem Where ProductType!=2 or ProductType!=3; ResultCode = 0x80041032; PossibleCause = Unknown

Thanks!

Hi,

I have the same issues on all 4 of my machines.  Most prominent is the 80041002 shown in every WMIDiag.vbs log file ever executed.  They always show the same 30 classes as being missing on most systems where WMIDiag is run.  Most common error listed in WMI-Activity/Operational log is consistent 80041032 entries every few minutes to every 2 hours.  They occur immediately after cimwin32.dll is loaded.  These issues have been researched for years and no solutiuon has ever been posted by Microsoft or anyone else.  Come on Microsft, what is going on with Windows Management Instrumentation?

Best regards.

Hi, I am having the same issue. Does anyone even know what is the cause? Is it hardware and/or software?

Thanks,

-Matt

have any of you windows server as a VM on XEN server? I have 2 win servers on XEN server and i have suspicion it's reason for this.

have any of you windows server as a VM on XEN server? I have 2 win servers on XEN server and i have suspicion it's reason for this.

No,

I have only 2 servers installed (DELL Poweredge and Intel Board)

and both have any thousends errors in WMI Events 5858

I have the same issue on Windows 7 professional x64

Id = {02CBDA40-F800-0000-E865-AAE33D0FCE01}; ClientMachine = Client04; User = NT AUTHORITY\SYSTEM; ClientProcessId = 980; Component = Unknown; Operation = Start IWbemServices::DeleteInstance - Root\Rsop\User\S_1_5_21_1447720405_913420198_1853421413_1156 : RSOP_ExtensionStatus.extensionGuid="{1A6364EB-776B-4120-ADE1-B63A406A76B5}"; ResultCode = 0x80041002; PossibleCause = Unknown

event id 5858
WMI-Activity

This issue was raised back in June last year - no progress by anyone? Microsoft, where are you on this?

Steve

I have the same issue on Windows 7 professional x64

Id = {02CBDA40-F800-0000-E865-AAE33D0FCE01}; ClientMachine = Client04; User = NT AUTHORITY\SYSTEM; ClientProcessId = 980; Component = Unknown; Operation = Start IWbemServices::DeleteInstance - Root\Rsop\User\S_1_5_21_1447720405_913420198_1853421413_1156 : RSOP_ExtensionStatus.extensionGuid="{1A6364EB-776B-4120-ADE1-B63A406A76B5}"; ResultCode = 0x80041002; PossibleCause = Unknown

event id 5858
WMI-Activity

This issue was raised back in June last year - no progress by anyone? Microsoft, where are you on this?

Steve

I'm having the similar issue on win7pro 64 bit.  This error appears to be triggered by a problem with the Windows Diagnostic Services, which blow up and cannot run.  Consequently, many troubleshooter wizards can't run either.  My actual error code is:

Id = {034BFC78-F800-0007-44C2-5786103FCE01}; ClientMachine = JOHN-GALT; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4860; Component = Unknown; Operation = Start IWbemServices::CreateInstanceEnum - root\wmi : hpqBIntM; ResultCode = 0x80041032; PossibleCause = Unknown

In my case, it appears to be pointing to the HP BIOS enumerator, which (according to WMI diagnostics) is dynamic.  WMI diagnostic log shows some errors  around HP_BIOSEnumeration (in Root/HP/INSTRUMENTEDBIOS) because (InstancesOfSink_OnCompleted) : 0x8004100F invalid instance.

Ideas?

• Edited by Davodavodavo Tuesday, April 23, 2013 2:50 PM
• Proposed as answer by Keith Bankston (MSFT) Thursday, May 30, 2013 8:59 PM
• Unproposed as answer by Keith Bankston (MSFT) Thursday, May 30, 2013 8:59 PM

I have the same issue on Windows 7 professional x64

Id = {02CBDA40-F800-0000-E865-AAE33D0FCE01}; ClientMachine = Client04; User = NT AUTHORITY\SYSTEM; ClientProcessId = 980; Component = Unknown; Operation = Start IWbemServices::DeleteInstance - Root\Rsop\User\S_1_5_21_1447720405_913420198_1853421413_1156 : RSOP_ExtensionStatus.extensionGuid="{1A6364EB-776B-4120-ADE1-B63A406A76B5}"; ResultCode = 0x80041002; PossibleCause = Unknown

event id 5858
WMI-Activity

This issue was raised back in June last year - no progress by anyone? Microsoft, where are you on this?

Steve

I'm having the similar issue on win7pro 64 bit.  This error appears to be triggered by a problem with the Windows Diagnostic Services, which blow up and cannot run.  Consequently, many troubleshooter wizards can't run either.  My actual error code is:

Id = {034BFC78-F800-0007-44C2-5786103FCE01}; ClientMachine = JOHN-GALT; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4860; Component = Unknown; Operation = Start IWbemServices::CreateInstanceEnum - root\wmi : hpqBIntM; ResultCode = 0x80041032; PossibleCause = Unknown

In my case, it appears to be pointing to the HP BIOS enumerator, which (according to WMI diagnostics) is dynamic.  WMI diagnostic log shows some errors  around HP_BIOSEnumeration (in Root/HP/INSTRUMENTEDBIOS) because (InstancesOfSink_OnCompleted) : 0x8004100F invalid instance.

Ideas?

• Edited by Davodavodavo Tuesday, April 23, 2013 2:50 PM
• Proposed as answer by Keith Bankston (MSFT) Thursday, May 30, 2013 8:59 PM
• Unproposed as answer by Keith Bankston (MSFT) Thursday, May 30, 2013 8:59 PM

The core problem for this set of issues is that the WMI error event ID 5858 is being generated generically and is not only representing functional error conditions. Unfortunately, for application/backwards compatibility, we cant just get rid of it, because people have gone to the effort of parsing the event (more below) to look for the instances where there is useful data.

Event 5858 is generated any time there is an error returned to the WMI client API. Many of these errors are behaviors that the client application handles (for example, checking for something that is not present), so seeing event 5858 does not tell you enough. The user data section of the event has the information to explain if the problem is important, but it must be parsed. That makes this event hard to use for monitoring, so some notes on that are at the end.

To understand WMI event 5858, the key elements are in userdata, specifically:

• ResultCode this tells you the real reason event is generated, and is the most valuable piece of information. More info is below, but searching TechNet for the ResultCode will usually give you the information you need.
• Operation the relevant info follows Start IWbemServices::, and tells you what WMI was asked to do. This includes run a query, enumerate/create/delete instances, look for a class, etc. There is a full list here: //msdn.microsoft.com/en-us/library/windows/desktop/gg196568(v=vs.85).aspx
• User it sometimes it helps to know what account was trying to do the Operation, particularly if the ResultCode is 0x80041003 Access Denied.

ResultCode details: There is a good list of ResultCodes here: //support.microsoft.com/kb/295821. The ones listed in this thread are:

• 0x80041032 Call Cancelled. The client application cancelled the request that was made. That is almost always ignorable as a WMI error. The component or application (SCCM, or Group Policy) for example) that was calling into WMI cancelled the request, and will likely generate its own event if it is important to do.
• 0x8004100A Critical Error. This could be a significant problem, and should be investigated. The WMI infrastructure is not working properly. You can either use WMIDiag (see this article: //blogs.technet.com/b/askperf/archive/2012/02/03/wmidiag-2-1-is-here.aspx) or from an elevated command prompt run Winmgmt VerifyRepository.  
• 0x80041002 Not Found. This is usually ignorable by itself. It means that WMI could not find the instance of a class that was requested, which is not unusual.
• 0x8004100F Invalid Object. This could be a significant problem and should be investigated. It could be a problem where the WMI provider is badly written, or it could be an issue within the WMI repository. See Troubleshooting below.

Operation details This begins with Start IWbemServices::, then the actual operation, with parameters you can use to find out more info. Examples from the thread above are:

• ExecQuery run a WMI query. The structure is ExecQuery - <namespace> : <query>. Example is ExecQuery - root\CIMV2 : select * from Win32_OperatingSystem Where ProductType!=2 or ProductType!=3. You can use the PS command get-wmiobject namespace (insert the namespace) query (insert the query portion)
• DeleteInstance delete a specific instance of a WMI class. Looks like: DeleteInstance - <namespace>: <instance information>. Example is DeleteInstance - Root\Rsop\User\S_1_5_21_1447720405_913420198_1853421413_1156 : RSOP_ExtensionStatus.extensionGuid="{1A6364EB-776B-4120-ADE1-B63A406A76B5}".
• CreateInstanceEnum sets up to enumerate all instances of a class. Structure is CreateInstanceEnum - <namespace> : <classname>.

Troubleshooting:

As noted, some of the issues listed above are important to understand. There are some good topics on WMI Troubleshooting in TechNet, so I wont try to repeat them. There is a generally good article here: technet.microsoft.com/en-us/magazine/2006.09.wmievents.aspx. The most critical things to check for are repository issues, which you can do either using WMIDiag (see this article: blogs.technet.com/b/askperf/archive/2012/02/03/wmidiag-2-1-is-here.aspx) or from an elevated command prompt run Winmgmt VerifyRepository, and confirm that the repository is in good shape.

Monitoring:

You have to parse event 5858 to get the critical info, so other events are easier to use for monitoring. The most critical events to watch for relating to WMI are still in the Windows-Application log, not Microsoft-Windows-WMI-Activity/Operational log (where event 5858 is found). All of the most serious errors that will show up with an event 5858 will also have something in the Windows-Application log. Documentation for the most relevant events are listed in multiple topics under this reference: //technet.microsoft.com/en-us/library/cc727020(v=ws.10).aspx

In summary:

Event 5858 is confusing, generally ignorable, and unfortunately not something we can get rid of easily. It does provide valuable information if you know how to parse it. The most relevant information is the ResultCode in the UserData section copy and paste that into a search of TechNet for meaningful information.

• Edited by Keith Bankston (MSFT) Thursday, May 30, 2013 9:31 PM
• Proposed as answer by mcbsys Saturday, March 22, 2014 7:53 PM

The core problem for this set of issues is that the WMI error event ID 5858 is being generated generically and is not only representing functional error conditions. Unfortunately, for application/backwards compatibility, we cant just get rid of it, because people have gone to the effort of parsing the event (more below) to look for the instances where there is useful data.

Event 5858 is generated any time there is an error returned to the WMI client API. Many of these errors are behaviors that the client application handles (for example, checking for something that is not present), so seeing event 5858 does not tell you enough. The user data section of the event has the information to explain if the problem is important, but it must be parsed. That makes this event hard to use for monitoring, so some notes on that are at the end.

To understand WMI event 5858, the key elements are in userdata, specifically:

• ResultCode this tells you the real reason event is generated, and is the most valuable piece of information. More info is below, but searching TechNet for the ResultCode will usually give you the information you need.
• Operation the relevant info follows Start IWbemServices::, and tells you what WMI was asked to do. This includes run a query, enumerate/create/delete instances, look for a class, etc. There is a full list here: //msdn.microsoft.com/en-us/library/windows/desktop/gg196568(v=vs.85).aspx
• User it sometimes it helps to know what account was trying to do the Operation, particularly if the ResultCode is 0x80041003 Access Denied.

ResultCode details: There is a good list of ResultCodes here: //support.microsoft.com/kb/295821. The ones listed in this thread are:

• 0x80041032 Call Cancelled. The client application cancelled the request that was made. That is almost always ignorable as a WMI error. The component or application (SCCM, or Group Policy) for example) that was calling into WMI cancelled the request, and will likely generate its own event if it is important to do.
• 0x8004100A Critical Error. This could be a significant problem, and should be investigated. The WMI infrastructure is not working properly. You can either use WMIDiag (see this article: //blogs.technet.com/b/askperf/archive/2012/02/03/wmidiag-2-1-is-here.aspx) or from an elevated command prompt run Winmgmt VerifyRepository.  
• 0x80041002 Not Found. This is usually ignorable by itself. It means that WMI could not find the instance of a class that was requested, which is not unusual.
• 0x8004100F Invalid Object. This could be a significant problem and should be investigated. It could be a problem where the WMI provider is badly written, or it could be an issue within the WMI repository. See Troubleshooting below.

Operation details This begins with Start IWbemServices::, then the actual operation, with parameters you can use to find out more info. Examples from the thread above are:

• ExecQuery run a WMI query. The structure is ExecQuery - <namespace> : <query>. Example is ExecQuery - root\CIMV2 : select * from Win32_OperatingSystem Where ProductType!=2 or ProductType!=3. You can use the PS command get-wmiobject namespace (insert the namespace) query (insert the query portion)
• DeleteInstance delete a specific instance of a WMI class. Looks like: DeleteInstance - <namespace>: <instance information>. Example is DeleteInstance - Root\Rsop\User\S_1_5_21_1447720405_913420198_1853421413_1156 : RSOP_ExtensionStatus.extensionGuid="{1A6364EB-776B-4120-ADE1-B63A406A76B5}".
• CreateInstanceEnum sets up to enumerate all instances of a class. Structure is CreateInstanceEnum - <namespace> : <classname>.

Troubleshooting:

As noted, some of the issues listed above are important to understand. There are some good topics on WMI Troubleshooting in TechNet, so I wont try to repeat them. There is a generally good article here: technet.microsoft.com/en-us/magazine/2006.09.wmievents.aspx. The most critical things to check for are repository issues, which you can do either using WMIDiag (see this article: blogs.technet.com/b/askperf/archive/2012/02/03/wmidiag-2-1-is-here.aspx) or from an elevated command prompt run Winmgmt VerifyRepository, and confirm that the repository is in good shape.

Monitoring:

You have to parse event 5858 to get the critical info, so other events are easier to use for monitoring. The most critical events to watch for relating to WMI are still in the Windows-Application log, not Microsoft-Windows-WMI-Activity/Operational log (where event 5858 is found). All of the most serious errors that will show up with an event 5858 will also have something in the Windows-Application log. Documentation for the most relevant events are listed in multiple topics under this reference: //technet.microsoft.com/en-us/library/cc727020(v=ws.10).aspx

In summary:

Event 5858 is confusing, generally ignorable, and unfortunately not something we can get rid of easily. It does provide valuable information if you know how to parse it. The most relevant information is the ResultCode in the UserData section copy and paste that into a search of TechNet for meaningful information.

• Edited by Keith Bankston (MSFT) Thursday, May 30, 2013 9:31 PM
• Proposed as answer by mcbsys Saturday, March 22, 2014 7:53 PM

Thanks for your detailed and authoritative (MSFT) reply. In my view, the objective is not to get rid of Event 5858, but to get rid of the code that generates the ignorable instances of Event 5858.

Last spring (2013), I wrote a mof file that generates the 32 or 34 objects that WMIDiag.vbs chokes on and informs almost every user that they are missing.  I copied information for most of the classes from various places on the internet checking for accuracy of the information.  Compiling this .mof file in addition to running the batch file described below will clear up most or all of the 0x80041002 WMI errors that WMIDiag generates and the diagnostic will run successfully in most cases where there is not any really serious structural repository damage. I've modified WMIDiag.vbs to successfully run on Windows 8.0, 8.1 and Windows Server 2012.

I also wrote a large batch file (116KB) that repairs many repository issues.  A lot of posted WMI repair batch files and instructions for repairing the repository do not take ALL issues into consideration and can cause their own problems.  For example, there are uninstall .mof files in %Windir%\System32\wbem and %Windir%\System32\wbem\en-US.  If the uninstall .mof and .mfl files are not temporarily renamed while compiling mof files the user will compile the uninstall information also uninstalling anywhere from 8 to 34 or more .mof files and the entire set of classes for each.  Almost all batch files found on the internet try to compile the language specific files (.mfl) in the %Windir%\System32\wbem folder when the .mfl files actually reside in the %Windir%\System32\wbem\en-US folder for Windows 7 and 8, so you must change folders appropriately or use the correct path when compiling .mfls.  Output from my batch operations is written to a text log file which can be searched for the word "error" to verify success or failure of all operations.  A couple of zero length mof files in the %Windir%\System32\wbem\en-US folder are also temporarily renamed to avoid spurious errors.

I am currently working on a batch file that sets the correct ownership and permissions for the %Windir%\System32\wbem and %Windir%\System32\wbem\en-US folders.  Execution of this batch file enables users to edit and compile mof and mfl files in the appropriate Windows folders.  The batch file uses Subinacl.exe for this purpose. My batch file would be good for home systems or offline systems, but I don't think any corporate users would want to screw around with any of their Windows permissions in this manner.  The batch file removes the read only attribute from the Windows folder and WBEM subfolders and files and it adds "full control" security for System, Administrators, and TrustedInstaller.  Local Service, Network Service and Users are given either modify or read and execute rights.  These last security settings will not sit right with many corporate users with online systems.  It also ensures that most Windows registry keys and subkeys are owned by Administrators and that full control is given to Administrators and System with Users getting read access.  The last major change it performs is to modify Program Files and Program Files (x86) so that the user can write and store data in the folders and sub-folders.  I prefer this option since I install many portable applications on my systems and I prefer to store program configuration in .ini files in the program folders when possible rather than the Appdata folders.  This way I can copy a portable application from my system and know I have the latest configuration settings included.

I make these tools available for download from a OneDrive folder if I think they can help someone.

• Edited by RichardtheGeek 10 hours 34 minutes ago Make more descriptive

Last spring (2013), I wrote a mof file that generates the 32 or 34 objects that WMIDiag.vbs chokes on and informs almost every user that they are missing.  I copied information for most of the classes from various places on the internet checking for accuracy of the information.  Compiling this .mof file in addition to running the batch file described below will clear up most or all of the 0x80041002 WMI errors that WMIDiag generates and the diagnostic will run successfully in most cases where there is not any really serious structural repository damage. I've modified WMIDiag.vbs to successfully run on Windows 8.0, 8.1 and Windows Server 2012.

I also wrote a large batch file (116KB) that repairs many repository issues.  A lot of posted WMI repair batch files and instructions for repairing the repository do not take ALL issues into consideration and can cause their own problems.  For example, there are uninstall .mof files in %Windir%\System32\wbem and %Windir%\System32\wbem\en-US.  If the uninstall .mof and .mfl files are not temporarily renamed while compiling mof files the user will compile the uninstall information also uninstalling anywhere from 8 to 34 or more .mof files and the entire set of classes for each.  Almost all batch files found on the internet try to compile the language specific files (.mfl) in the %Windir%\System32\wbem folder when the .mfl files actually reside in the %Windir%\System32\wbem\en-US folder for Windows 7 and 8, so you must change folders appropriately or use the correct path when compiling .mfls.  Output from my batch operations is written to a text log file which can be searched for the word "error" to verify success or failure of all operations.  A couple of zero length mof files in the %Windir%\System32\wbem\en-US folder are also temporarily renamed to avoid spurious errors.

I am currently working on a batch file that sets the correct ownership and permissions for the %Windir%\System32\wbem and %Windir%\System32\wbem\en-US folders.  Execution of this batch file enables users to edit and compile mof and mfl files in the appropriate Windows folders.  The batch file uses Subinacl.exe for this purpose. My batch file would be good for home systems or offline systems, but I don't think any corporate users would want to screw around with any of their Windows permissions in this manner.  The batch file removes the read only attribute from the Windows folder and WBEM subfolders and files and it adds "full control" security for System, Administrators, and TrustedInstaller.  Local Service, Network Service and Users are given either modify or read and execute rights.  These last security settings will not sit right with many corporate users with online systems.  It also ensures that most Windows registry keys and subkeys are owned by Administrators and that full control is given to Administrators and System with Users getting read access.  The last major change it performs is to modify Program Files and Program Files (x86) so that the user can write and store data in the folders and sub-folders.  I prefer this option since I install many portable applications on my systems and I prefer to store program configuration in .ini files in the program folders when possible rather than the Appdata folders.  This way I can copy a portable application from my system and know I have the latest configuration settings included.

I make these tools available for download from a OneDrive folder if I think they can help someone.

• Edited by RichardtheGeek Friday, August 07, 2015 8:28 PM Make more descriptive

Seems like that would be some good stuff to share. CodePlex (The link below) is a great place to host Win related software.....

http://www.codeplex.com/

Thanks for the suggestion.  I've continued working on the projects over the last couple of months.  It would only require a little clean-up to make the projects presentable.  I've also modified WMIDiag.vbs to operate with Windows 8, 8.1 and Windows Server 2012.  It ran successfully for me on Win 8 and 8.0 and for another guy with Windows Server 2012.  I could probably make that available also.  After running my programs, I have an absolutely clean WMIDiag report.  I'll give it some thought and maybe in a week or so I'll put it on codeplex.

Thanks for the suggestion.  I've continued working on the projects over the last couple of months.  It would only require a little clean-up to make the projects presentable.  I've also modified WMIDiag.vbs to operate with Windows 8, 8.1 and Windows Server 2012.  It ran successfully for me on Win 8 and 8.0 and for another guy with Windows Server 2012.  I could probably make that available also.  After running my programs, I have an absolutely clean WMIDiag report.  I'll give it some thought and maybe in a week or so I'll put it on codeplex.

@RichardtheGeek:  Sorry to resurrect this message, however, this project that you are working on with WMI and Server/8.1/etc, not only sounds like a daunting and intricate task but also an incredibly useful one in both personal environments and enterprise alike.  I was wondering if you did in fact host your most current products online so that I may look into them for my purposes on my own domains/systems/test and live environments.  Were you able to post the product online?  BTW I applaud your efforts to even begin to tackle WMI and WBEM issues! I am sure you are aware first hand of how abundant, annoying, destructive if not handled properly and anxiety laden WMI and WBEM are.  I have resulted to the easy way out method of rename or remove and rebuild on a few occasions which yes works and lets you move past for a bit, however, returns like a plaque later on at the worst of times it seems.  It sounds like the work you have done so far is a big leap towards the "correct" way of handling the WMI and WBEM problems and I do respect that!  Hope to hear from you soon! -Chad

I tried to do it the right way instead of simply deleting the repository and rebuilding.  There are too many issues involved for rebuilding the repository to be an adequate solution.  For example if you rebuild the repository by mofcomping all .mof files, there are uninstall .mof files also and the user uninstalls anywhere from 8 to 36 functions unknowingly depending on OS.  The uninstall files must be managed so that specific classes are not uninstalled.  Also, the language specific .mfl files are stored in the en-US folder, not in the WBEM folder so they don't get recompiled during a rebuild.  There are a number of other nagging issues with rebuilding the repository such as zero length files that generate a mofcomp error.  I've rarely found a system yet that I cannot get WMIDiag.vbs to run without errors without deleting and rebuilding the repository.  I've only worked on a dozen or so systems with the stuff.  Unfortunately, I have not found a place to publish my stuff.  I make it available to from my Onedrive when requested.  Let me know what your problem is and I'll let you know if my stuff will help.

I do appreciate your efforts in explaining your actions. I have been running 8.1 for some time without this issue until an update downloaded and installed on 09/02/2015. I would greatly appreciate copies of your batch files, because this issue is triggering a domino of issues in warnings, errors, etc.

Many thanks for your help

 

What type of problem are you having?  If you provide more information I can tailor the batch file(s) I send you.  Sorry it took me so long to respond, your email went into my junk mail folder.