Windows Server 2008 R2 Enterprise, 64-Bit Frequent High CPU Utilization from WMIPRVSE.EXE Network User
For the past 6 weeks, we have one Windows Server 2008 R2 Enterprise 64-bit running as a VMware virtual machine that periodically spikes the processor to between 90% - 100%. Task manager reveals that between 40%-90% of this is consumed by the process "WMIPRVSE.EXE" owned by the NETWORK SERVICE. Killing/restarting/reinstalling items like TSM and SEP11 clients help to some degree, but the processor doesn't drop down to anything lower than 50%, again most processing being used by WMIPRVSE.exe. Rebooting helps clear the issue for several hours but it always returns at some point without warning, or some triggered event (like the startup of a nightly backup) - the issue starts at random times. Using Sysinternals ProcessExplorer we see 1.3million repeated entries where WMIPRVSE.exe is trying to access, open, modify, and close the tzres.dll file. This is the not a virus, we know the tzres.dll file is an authentic MS file. Looking further at the files, it appears that tzres.dll has a modified date of 6/19/2010, version number 6.1.7600.16617. The accompanying file tzutil.exe has a modified date of 7/13/2009 version number 6.1.7600.16385. Going to a clean Windows 2008 R2 Enterprise 64-bit install, both tzres.dll and tzutil.exe have the same date and version number of 7/13/2009 and 6.1.7600.16385. Please note, I have already researched the following fix: http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/0b0d0f2c-3a1b-4959-a557-b44d1612b6bb This server has been confirmed as NOT running WSRM or Terminal Services. I am wondering if we replace the tzres.dll file with one that matches the tzutil.exe (actually replace both in case both are corrupt) - would that solve the issue? If not, what other paths to troubleshoot may I take? The event logs for both system and application do not have indicators of issues related to WMIPRVSE.exe.
May 26th, 2011 2:34pm

Hi, Please try to install the hotfix from the following Microsoft KB article to update the Tzres.dll file version and check the result. December 2010 cumulative time zone update for Windows operating systems http://support.microsoft.com/kb/2443685 In addition, you may also refer to the following Microsoft MSDN blog for how to troubleshoot this issue. Using Netmon to figure out the source of high CPU in WMIprvse.exe http://blogs.msdn.com/b/ntdebugging/archive/2009/04/24/using-netmon-to-figure-out-the-source-of-high-cpu-in-wmiprvse-exe.aspx Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2011 11:24pm

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com .Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 29th, 2011 10:13pm

Thank you for the response, I am working to get the patches implemented in the next 3 days and will update this thread. Thanks very much for your quick and thorough answer. For now I would like to hold off on marking as "answered" but will do so by the end of the week. In the meantime, I will provide positive feedback form you Arthur, your response was great, comprehensive, and appreciated. I will update you on the CPU utilization by the end of the week and will also update this thread as I watch the server's behavior over the next three weeks. Thanks,Jason B. Allen
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2011 10:11am

Hi, It has been a while since my previous suggestions was posted and I'm writing to find out if you have had an opportunity to test my suggestions yet. If you need my further assistance, please do not hesitate to let me know, and I will be happy to help. I look forward to your reply. Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com .Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 13th, 2011 10:10pm

Arthur, I wanted to let you know that I have been watching the server since I last emailed. I have watched closely over the server, checking twice a day every day now for 2 weeks. Before applying the patch, there was a lull in the processor experiencing high utilization. That is to say, before we applied the patch, we rebooted the server and saw the processor staying relatively normal for no more than 2 weeks at a time. After applying the patch (we didn't need to run NetMon to dig deeper) the processor has returned to expected levels of usage. Thanks Arthur for your quick and correct answer, and also your follow-through. I will leave positive feedback for you. Thanks again, and I hope this post helps someone else in the future.Jason B. Allen
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2011 9:26pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics