1115321 10:20:34.5323064 PM wmiprvse.exe 2724 CloseFile C:\Windows\System32\tzres.dll SUCCESS
1115324 10:20:34.5324188 PM wmiprvse.exe 2724 QueryStandardInformationFile C:\Windows\System32\tzres.dll SUCCESS AllocationSize: 4,096, EndOfFile: 2,048, NumberOfLinks: 1, DeletePending: False, Directory: False
1115328 10:20:34.5325959 PM wmiprvse.exe 2724 CloseFile C:\Windows\System32\tzres.dll SUCCESS
1115329 10:20:34.5326125 PM wmiprvse.exe 2724 CreateFile C:\Windows\System32\en-US\tzres.dll.mui SUCCESS Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
1115332 10:20:34.5327013 PM wmiprvse.exe 2724 QueryStandardInformationFile C:\Windows\System32\en-US\tzres.dll.mui SUCCESS AllocationSize: 20,480, EndOfFile: 18,944, NumberOfLinks: 2, DeletePending: False, Directory: False
1115336 10:20:34.5333601 PM wmiprvse.exe 2724 QueryOpen C:\Windows\System32\tzres.dll FAST IO DISALLOWED
1115337 10:20:34.5336879 PM wmiprvse.exe 2724 CloseFile C:\Windows\System32\en-US\tzres.dll.mui SUCCESS
1115339 10:20:34.5340095 PM wmiprvse.exe 2724 CreateFile C:\Windows\System32\tzres.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
1115340 10:20:34.5340912 PM wmiprvse.exe 2724 QueryBasicInformationFile C:\Windows\System32\tzres.dll SUCCESS CreationTime: 1/18/2008 10:59:11 PM, LastAccessTime: 1/19/2008 2:24:58 AM, LastWriteTime: 11/2/2006 12:05:07 AM, ChangeTime: 3/5/2008 2:29:13 PM, FileAttributes: A
1115341 10:20:34.5341305 PM wmiprvse.exe 2724 CloseFile C:\Windows\System32\tzres.dll SUCCESS
1115343 10:20:34.5341950 PM wmiprvse.exe 2724 QueryOpen C:\Windows\System32\tzres.dll FAST IO DISALLOWED
1115344 10:20:34.5345423 PM wmiprvse.exe 2724 CreateFile C:\Windows\System32\tzres.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
1115345 10:20:34.5345949 PM wmiprvse.exe 2724 QueryBasicInformationFile C:\Windows\System32\tzres.dll SUCCESS CreationTime: 1/18/2008 10:59:11 PM, LastAccessTime: 1/19/2008 2:24:58 AM, LastWriteTime: 11/2/2006 12:05:07 AM, ChangeTime: 3/5/2008 2:29:13 PM, FileAttributes: A
1115346 10:20:34.5346293 PM wmiprvse.exe 2724 CloseFile C:\Windows\System32\tzres.dll SUCCESS
1115348 10:20:34.5346913 PM wmiprvse.exe 2724 CreateFile C:\Windows\System32\tzres.dll SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
1115350 10:20:34.5347922 PM wmiprvse.exe 2724 QueryStandardInformationFile C:\Windows\System32\tzres.dll SUCCESS AllocationSize: 4,096, EndOfFile: 2,048, NumberOfLinks: 1, DeletePending: False, Directory: False
1115352 10:20:34.5348427 PM wmiprvse.exe 2724 CreateFile C:\Windows\System32\tzres.dll SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
1115356 10:20:34.5349242 PM wmiprvse.exe 2724 QueryStandardInformationFile C:\Windows\System32\tzres.dll SUCCESS AllocationSize: 4,096, EndOfFile: 2,048, NumberOfLinks: 1, DeletePending: False, Directory: False
1115357 10:20:34.5351181 PM wmiprvse.exe 2724 CloseFile C:\Windows\System32\tzres.dll SUCCESS
1115362 10:20:34.5353233 PM wmiprvse.exe 2724 CloseFile C:\Windows\System32\tzres.dll SUCCESS
1115364 10:20:34.5360080 PM wmiprvse.exe 2724 QueryOpen C:\Windows\System32\tzres.dll FAST IO DISALLOWED
1115365 10:20:34.5360208 PM wmiprvse.exe 2724 CreateFile C:\Windows\System32\en-US\tzres.dll.mui SUCCESS Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
1115367 10:20:34.5362581 PM wmiprvse.exe 2724 QueryStandardInformationFile C:\Windows\System32\en-US\tzres.dll.mui SUCCESS AllocationSize: 20,480, EndOfFile: 18,944, NumberOfLinks: 2, DeletePending: False, Directory: False
1115368 10:20:34.5362947 PM wmiprvse.exe 2724 CreateFile C:\Windows\System32\tzres.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
1115371 10:20:34.5363607 PM wmiprvse.exe 2724 QueryBasicInformationFile C:\Windows\System32\tzres.dll SUCCESS CreationTime: 1/18/2008 10:59:11 PM, LastAccessTime: 1/19/2008 2:24:58 AM, LastWriteTime: 11/2/2006 12:05:07 AM, ChangeTime: 3/5/2008 2:29:13 PM, FileAttributes: A
1115373 10:20:34.5363872 PM wmiprvse.exe 2724 CloseFile C:\Windows\System32\tzres.dll SUCCESS
1115375 10:20:34.5364900 PM wmiprvse.exe 2724 CloseFile C:\Windows\System32\en-US\tzres.dll.mui SUCCESS
1115377 10:20:34.5366723 PM wmiprvse.exe 2724 CreateFile C:\Windows\System32\tzres.dll SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened1115320 10:20:34.5322271 PM wmiprvse.exe 2724 CreateFile C:\Windows\System32\tzres.dll SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened

Hi Tomas,

Generally speaking, it is quite normal that the WmiPrvSE process cost 4-6 percent of CPU consumption when a specific software requires its facilities.

The WmiPrvSE.exe is a host process for WMI provider services.WMI provider services were loaded in-process with the WMI Service (a new request to WMI would restart the WMI Service). This is an essential service which will start whenever a specific piece of software requires its facilities.

You may check with the 2 different Windows Server 2008 operation system, and see if they are installed with different roles or features or other third party appliction. You may also disable all the third party application on the server to see if the issue will be reoccur.

Hope it helps.

Did you install the Feature: "Windows System Resource Manager"?

WhenI enabled this feature, the CPU went up on the wmiprvse process. (and stopped when i removed the feature).

• Proposed as answer by Bill Phillips Jr Friday, October 03, 2008 6:39 PM

• Proposed as answer by Mulb Monday, March 30, 2009 7:22 PM

In ProcessExplorer I am seeing two instances of WmiPrvSE.exe.

Looking at the properties of both there seems to be a pretty big difference in the resources each instance has been using:

The second instance has usedmore CPU time than *any* other process - surely that cannot be right?

PS: The server has only been up for ~130hrs.

In ProcessExplorer I am seeing two instances of WmiPrvSE.exe.

Looking at the properties of both there seems to be a pretty big difference in the resources each instance has been using:

The second instance has usedmore CPU time than *any* other process - surely that cannot be right?

PS: The server has only been up for ~130hrs.

• Edited by Luke Maslany Tuesday, February 10, 2009 5:10 PM Added uptime

• Proposed as answer by kev4570 Monday, April 21, 2014 7:43 PM

"Process Name","PID","Operation","Path","Result","Detail","Sequence","TID","Category","Time of Day"

"wmiprvse.exe","2652","Process Profiling","","SUCCESS","User Time: 24369.8125000, Kernel Time: 304590.4687500, Private Bytes: 9,588,736, Working Set: 13,250,560","n/a","1832","","5:05:04.2801934 PM"

"wmiprvse.exe","2652","QueryStandardInformationFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\hplt8m2.dat","SUCCESS","AllocationSize: 172,032, EndOfFile: 170,042, NumberOfLinks: 1, DeletePending: False, Directory: False","n/a","1400","Read Metadata","5:05:04.2854198 PM"

"wmiprvse.exe","2652","QueryStandardInformationFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\hplt8m2.dat","SUCCESS","AllocationSize: 172,032, EndOfFile: 170,042, NumberOfLinks: 1, DeletePending: False, Directory: False","n/a","1520","Read Metadata","5:05:04.2864111 PM"

"wmiprvse.exe","2652","QueryStandardInformationFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\hplt8m2.dat","SUCCESS","AllocationSize: 172,032, EndOfFile: 170,042, NumberOfLinks: 1, DeletePending: False, Directory: False","n/a","1400","Read Metadata","5:05:04.2865925 PM"

"wmiprvse.exe","2652","QueryStandardInformationFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\hplt8m2.dat","SUCCESS","AllocationSize: 172,032, EndOfFile: 170,042, NumberOfLinks: 1, DeletePending: False, Directory: False","n/a","1400","Read Metadata","5:05:04.2871798 PM"

@FHofmann77

hi,

did you make any configuration changes after you installed the patch or did it run just as installed? We were also experiencing such problems mit a w2008 terminal server, at the moment the feature is uninstalled.

thanks in advance

marco

The network seems to be running mine. What's it Doing?

Renee

same here only mine was running at 40-50%..

uninstalled CPU meter and Network meter gadgets from sidebar, and it went to 0% immediately.

Hello All,

WMIPRVSE.EXE is a WMI Provider Host kind of like svchost.exe, meaning that its essentially a shell. There are lots of different types of WMI providers and what they do is left up to the developer. Some may provide information about a custom application or assist in reporting information about a piece of hardware.

If you are interested in understanding why wmiprvse.exe may be consuming resources such as cpu on your system, you first need to find out what providers are running inside of that instance of wmiprvse.exe.

Assuming you know which PID is consuming lots of cpu, start by getting a list of PID's running wmiprvse.exe by running this a command prompt:

tasklist /fi "imagename eq wmiprvse.exe"

This should show a table similar to this:

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
WmiPrvSE.exe                1716 Services                   0      7,240 K

Next we need to list all of our WMI providers and see which PID they are hosted in.

C:\Windows\System32>wmic path msft_providers get hostinggroup,hostprocessidentifier,namespace,provider,user /format:list

Note the HostProcessIdentifier as it is the PID of an instance of wmiprvse.exe

HostingGroup=DefaultNetworkServiceHost
HostProcessIdentifier=1716
Namespace=root\CIMV2
provider=CIMWin32 <-- Name of the provider. There are providers for different types of software such as Exchange, MS SQL. etc etc
User=

Here we can see that Process 1716 is hosting the CIMWin32 Provider. Its reponsible for providing access to all of the Win32 classes such as Win32_ComputerSystem or Win32_QuickFixEngineering. Sometimes you are going to see that mulitple providers are being hosted under the same instance of wmiprvse.exe. When this happens you will need to narrow your scope even further by using Process Exporer and examining the stack to see which DLL(Provider) is responsible for the high cpu.

Hope this helps you track down you wmiprvse.exe high cpu issues!

I'll say this: any resort to WMI will be 1.) slow 2.) ineffecient Cpu wise and 3.) highy consumptive of memory. I wouldn't advise using it.

Renee

That's a pretty broad brush to paint "WMI" with. Its "speed" or "cpu" or "memory" usuage is up to the developer writing the provider.

In most management scenarios it makes sense to use WMI instead of trying to reinvent the wheel.

C:\Windows\System32>wmic path msft_providers get hostinggroup,hostprocessidentifier,namespace,provider,user /format:list

Note the HostProcessIdentifier as it is the PID of an instance of wmiprvse.exe

HostingGroup=DefaultNetworkServiceHost
HostProcessIdentifier=1716
Namespace=root\CIMV2
provider=CIMWin32 <-- Name of the provider. There are providers for different types of software such as Exchange, MS SQL. etc etc
User=

Here we can see that Process 1716 is hosting the CIMWin32 Provider. Its reponsible for providing access to all of the Win32 classes such as Win32_ComputerSystem or Win32_QuickFixEngineering. Sometimes you are going to see that mulitple providers are being hosted under the same instance of wmiprvse.exe. When this happens you will need to narrow your scope even further by using Process Exporer and examining the stack to see which DLL(Provider) is responsible for the high cpu.

Hope this helps you track down you wmiprvse.exe high cpu issues!

Hi Michael,

I followed your steps and I got this:

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
WmiPrvSE.exe                  2404                            0     36,184 K

HostingGroup=DefaultNetworkServiceHost
HostProcessIdentifier=2404
Namespace=root\CIMV2
provider=CIMWin32
User=

HostingGroup=DefaultNetworkServiceHost
HostProcessIdentifier=2404
Namespace=root\CIMV2
provider=Win32_WIN32_TERMINALSERVICE_Prov
User=

I looked for WmiPrvSE.exe  in Process Exporer according to its PID, but what's exactly what do I need to search for? didn't quite understand this part: "you will need to narrow your scope even further by using Process Exporer and examining the stack to see which DLL(Provider) is responsible for the high cpu"

Thanks

Hi Michael,

I followed your steps and I got this:

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
WmiPrvSE.exe                  2404                            0     36,184 K

HostingGroup=DefaultNetworkServiceHost
HostProcessIdentifier=2404
Namespace=root\CIMV2
provider=CIMWin32
User=

HostingGroup=DefaultNetworkServiceHost
HostProcessIdentifier=2404
Namespace=root\CIMV2
provider=Win32_WIN32_TERMINALSERVICE_Prov
User=

I looked for WmiPrvSE.exe  in Process Exporer according to its PID, but what's exactly what do I need to search for? didn't quite understand this part: "you will need to narrow your scope even further by using Process Exporer and examining the stack to see which DLL(Provider) is responsible for the high cpu"

Thanks

• Proposed as answer by fivesterlings Saturday, May 19, 2012 9:58 AM
• Unproposed as answer by fivesterlings Saturday, May 19, 2012 9:58 AM

WmiPrvSe.exe has been using up to 50% of my cpu (Lenovo laptop vista SP2) for about a month. I have fixed it after a lot of work by tracking it down, using ProcMon (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx), to a hyperactive registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} 

Some application was clearly frantically trying to get info from my <acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card">Network interface card extremely frequently.</acronym>

<acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card"></acronym>

<acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card">In my office I connect to an ethernet LAN and at home to a WiFi modem. The solution, found by some thought, was to prioritise my network connections to put the connection being used at the top of the list. </acronym>

<acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card">To do this without entering the registry see, for example, </acronym>http://www.hosteng.com/FAQFiles/EZ%20Ethernet.htm.

 viz:

          If you have WinXP:
               (1)  Start -->  Control Panel.
               (2)  Double-click on the "Network Connections" icon.
               (3)  On the menu at the top, select Advanced --> Advanced Settings...
               (4)  On the "Adapters and Bindings" tab, in the top window, select the connection you are using.
               (5)  Use the green arrows at the right to move this connection to the top of the list.
               (6)  Press <OK> and close Network Connections window.
               (7)  You may have to reboot your PC.
          If you have WinVista:
               (1)  Start -->  Control Panel.
               (2)  Double-click on the "Network & Sharing Center" icon.
               (3)  At the left of this window, click on "Manage network connections"
               (4)  Press the <ALT> key to make a menu appear at the top of this window.
               (5)  On the menu at the top, select Advanced --> Advanced Settings...
               (6)  On the "Adapters and Bindings" tab, in the top window, select the connection you are using.
               (7)  Use the green arrows at the right to move this connection to the top of the list.
               (8)  Press <OK> and close Network Connections window.
               (9)  You may have to reboot your PC.

Simple! Hope this saves others lots of frustration.

WmiPrvSe.exe has been using up to 50% of my cpu (Lenovo laptop vista SP2) for about a month. I have fixed it after a lot of work by tracking it down, using ProcMon (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx), to a hyperactive registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} 

Some application was clearly frantically trying to get info from my <acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card">Network interface card extremely frequently.</acronym>

<acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card"></acronym>

<acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card">In my office I connect to an ethernet LAN and at home to a WiFi modem. The solution, found by some thought, was to prioritise my network connections to put the connection being used at the top of the list. </acronym>

<acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card">To do this without entering the registry see, for example, </acronym>http://www.hosteng.com/FAQFiles/EZ%20Ethernet.htm.

 viz:

          If you have WinXP:
               (1)  Start -->  Control Panel.
               (2)  Double-click on the "Network Connections" icon.
               (3)  On the menu at the top, select Advanced --> Advanced Settings...
               (4)  On the "Adapters and Bindings" tab, in the top window, select the connection you are using.
               (5)  Use the green arrows at the right to move this connection to the top of the list.
               (6)  Press <OK> and close Network Connections window.
               (7)  You may have to reboot your PC.
          If you have WinVista:
               (1)  Start -->  Control Panel.
               (2)  Double-click on the "Network & Sharing Center" icon.
               (3)  At the left of this window, click on "Manage network connections"
               (4)  Press the <ALT> key to make a menu appear at the top of this window.
               (5)  On the menu at the top, select Advanced --> Advanced Settings...
               (6)  On the "Adapters and Bindings" tab, in the top window, select the connection you are using.
               (7)  Use the green arrows at the right to move this connection to the top of the list.
               (8)  Press <OK> and close Network Connections window.
               (9)  You may have to reboot your PC.

Simple! Hope this saves others lots of frustration.

• Proposed as answer by PokerBrat Tuesday, October 02, 2012 5:54 PM

Do you understand why this is astupid answer? It doesnot take cpu speeds into account.

Renee

Which is reason I dont fool with management software.

Renee

Dear Renee

My problem is fixed, would you kindly explain what you mean about taking cpu speeds into account? with thanks.

I don't think so.I'm a developer and I wouldn't dream of using WMI unless a customer requested a slow and piggish  solution.

Renee

Different CPU's have different execution speeds and different number of cores. For exanple, this isa Sandy Bridge Extreme and righr now it the faster processor on the planet.

That will change and Sandy Bridge in a relative sense will be slower as new technologies evolve,

Renee

OK Renee, I'm quite willing to learn from an expert. Are you saying that there is a better way to manage my Vista O/S LAN and WiFi network connections which by-passes Windows Management Instrumentation? Could you tell me how to find out how, I guess that means programming the relevant registry keys manually and disabling the management software?

Fivesterlings

If you're on Vista you are in luck! Lan is acessacble in ways that it isn't in Win7 or WAN I should say.

I have some remaing WAN code.

Renee

I was seeing three instances of WmiPrvSE.exe.  In the busiest one, about 25% CPU, Process Monitor showed acess to tzres.dll a lot.  When I right clicked on it, selected Properties, then the Process tab, I saw an entry for guard32.dll from COMODO.  I'm not currently running COMODO, I thought, but tracing that down led to Comodo System Services, which I'd installed while looking for a cure for a search results hijacking virus.  I uninstalled the Comodo System Services and the third, busy, instance of WmiPrvSE.exe disappeared.  Now I have just one instance running, at 11 or 12%.  Hopefully that will help cool down my rather warm laptop.

I hope this might help someone else!  The Sysinternals Process Monitor and Process Explorer are very handy tools.

Hello, i have similar problem on hp proliant server running windows 2008 (32bit) with 4cores cpu, the WmiPrvSE.exe process is shortly after boot consuming 25% of CPU (i.e. 100% of one core) for ever and for example Disk Management does not work anymore.

C:\>tasklist /fi "imagename eq wmiprvse.exe"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
WmiPrvSE.exe                  3964 Services                   0     26,536 K
WmiPrvSE.exe                  6576 Services                   0      6,056 K

C:\>wmic path msft_providers get hostinggroup,hostprocessidentifier,namespace,provider,user /format:list
^C (command just hangs)

7532 thread stack (the one with one cpu core full usage):

!std::num_put<char,std::ostreambuf_iterator<char,std::char_traits<char> > >::_Put+0x12


!LPoly+0x21c



!_dllonexit+0x9f
!CollectPerformanceData+0x228c1
!CollectPerformanceData+0x22852
!CollectPerformanceData+0x234f6
!CollectPerformanceData+0x231b3
!CollectPerformanceData+0x232ba
!NLG_Return
!CollectPerformanceData+0x20b4f
!CollectPerformanceData+0x27040e
!initterm+0x13
!CollectPerformanceData+0x20abe3
!CollectPerformanceData+0x20adab
!CollectPerformanceData+0x20ae78
ntdll.dll!RtlQueryInformationActivationContext+0x1b7
ntdll.dll!RtlEncodeSystemPointer+0x56d
ntdll.dll!LdrLoadDll+0x35b
ntdll.dll!LdrLoadDll+0x11f
!LoadLibraryExW+0x24c
!ElfRegisterEventSourceW+0x3c42
!ElfRegisterEventSourceW+0x3aff
!WmiQuerySingleInstanceW+0xc2d
!WmiQuerySingleInstanceW+0xae6
!RegQueryValueExW+0x97
!PdhGetCounterInfoA+0x2f84
!PdhLookupPerfNameByIndexW+0x1c9d
!PdhEnumMachinesA+0x196
!PdhEnumObjectsHW+0x124
!PdhEnumObjectsW+0x101
!DllCanUnloadNow+0x2b1
!DllCanUnloadNow+0x1432
!RpcServerUnregisterIf+0x1004
!NdrStubCall2+0x27f
!CStdStubBuffer_Invoke+0xa0
!CWbemInstance::GetPropQualifier+0x61
!WdtpInterfacePointer_UserUnmarshal+0x1e09
!WdtpInterfacePointer_UserUnmarshal+0x1f9d
!CoRevokeClassObject+0xb145
!CoRevokeClassObject+0xb056
!WdtpInterfacePointer_UserUnmarshal+0x6de
!WdtpInterfacePointer_UserUnmarshal+0x1cdf
!WdtpInterfacePointer_UserUnmarshal+0x6ee
!RpcServerUnregisterIf+0x1236
!RpcServerUnregisterIf+0x10e4
!I_RpcGetBufferWithObject+0x34d
!I_RpcGetBufferWithObject+0x2cf
!RpcServerUnregisterIf+0x14d7
!RpcServerUnregisterIf+0x13e5
!RpcServerUnregisterIf+0xc35
!I_RpcSend+0x7fe
!NdrTypeFlags+0x82b
!NdrTypeFlags+0x3d4
!NdrTypeFlags+0x39b
!NdrTypeFlags+0x41e
!BaseThreadInitThunk+0x12
ntdll.dll!RtlInitializeExceptionChain+0x63
ntdll.dll!RtlInitializeExceptionChain+0x36


!LPoly+0x1b4
!std::num_put<char,std::ostreambuf_iterator<char,std::char_traits<char> > >::do_put+0x59
!std::num_put<char,std::ostreambuf_iterator<char,std::char_traits<char> > >::do_put+0x43


ntdll.dll!RtlFreeHeap+0x23f



ntdll.dll!RtlAllocateHeap+0x95



!std::basic_streambuf<char,std::char_traits<char> >::sputc+0x33
!StrStrW+0x8cbf8



ntdll.dll!RtlEnterCriticalSection
!LPoly+0x1708




---------------------------
Process Explorer
---------------------------
The module cannot be located
---------------------------
OK   
---------------------------

i'm not able to identify any DLL which can be connected with this strange issue

any advice please?

"

  (1)  Start -->  Control Panel.
               (2)  Double-click on the "Network & Sharing Center" icon.
               (3)  At the left of this window, click on "Manage network connections"
               (4)  Press the <ALT> key to make a menu appear at the top of this window.
               (5)  On the menu at the top, select Advanced --> Advanced Settings...
               (6)  On the "Adapters and Bindings" tab, in the top window, select the connection you are using.
               (7)  Use the green arrows at the right to move this connection to the top of the list.
               (8)  Press <OK> and close Network Connections window.
               (9)  You may have to reboot your PC.

Simple! Hope this saves others lots of frustration."

This fixed it for me on Server 2008.  In my case an unused adapter was at the top of the binding's list.  I moved the working adapter to the top and killed the Wmiprvse.exe and it didn't come back.   If the binding order was wrong, the process would return instantly to a 25% usage state.  

Thank you for this. 

• Proposed as answer by simrick Saturday, June 29, 2013 2:48 PM

Setting the correct order to the binding of the network cards helped but there is still a fair amount of chatter.  If you 'Restart' (not Stop then Start) the service "Windows Management Instrumentation" in the Services panel then the 'WmiPrvSE.exe' activity drops almost to zero.  All of the dependent services will automatically get restarted if you use the 'Restart' option.

@DG3

Thank you very much for this tip!! I have a W8Pro MediaCtr with a single core AMD Athlon 64 3500+ (Orleans) processor. WmiPrvSE.exe was taking up 50% of the CPU constantly! This is a desktop, and setting the binding order of network adapters didn't apply to me, as I only have the ethernet adapter, and the VPN adapter (no wireless). I noticed hyper activity with the Time Zone DLL in Process Monitor (tzres.dll). Restarting Windows Management Instrumentation did the trick, and it's now running at 0% of the CPU, if at all.

Setting the correct order to the binding of the network cards helped but there is still a fair amount of chatter.  If you 'Restart' (not Stop then Start) the service "Windows Management Instrumentation" in the Services panel then the 'WmiPrvSE.exe' activity drops almost to zero.  All of the dependent services will automatically get restarted if you use the 'Restart' option.

@DG3

Thank you very much for this tip!! I have a W8Pro MediaCtr with a single core AMD Athlon 64 3500+ (Orleans) processor. WmiPrvSE.exe was taking up 50% of the CPU constantly! This is a desktop, and setting the binding order of network adapters didn't apply to me, as I only have the ethernet adapter, and the VPN adapter (no wireless). I noticed hyper activity with the Time Zone DLL in Process Monitor (tzres.dll). Restarting Windows Management Instrumentation did the trick, and it's now running at 0% of the CPU, if at all.

• Edited by simrick Saturday, June 29, 2013 2:53 PM added time zone filename

It looks like I was able to resolve it on a Server 2008 R2 Sp1 server by running the command winmgmt.exe /resetrepository

If I restarted the WMI service in services.msc It would drop obviously, but would rapidly climb back up to High percentages.  Once I ran that command to reset the repository, CPU slowly came down to a cool 1 - 2 % mostly 0%

I searched so long for an answer, and at least for now this is a solution.  I have been only monitoring it for a few hours after I flushed the repository but It seems to be holding.  I am installing SP2 tonight but Have my fingers crossed.

Deselo

Running the command "winmgmt.exe /resetrepository" solves the problem, however it only reappears on the next login...

I disabled from automatic startup all services that depended on "Windows Management Instrumentation", but no change...

for me i used the command and got an error message also saying access is denied. I already tried to get access through properties but was unsuccessful. How did you get access to it???

I have a

TOSHIBA Satellite C855D with windows 8

Hey there,

I have a suspicion that when WMI starts, it's out of sync with other security items installed on Windows like anti-virus, firewalls, etc. What I noticed was, at least in my case, it ran early in the startup process, and didn't detect the presence of my McAfee utilities (anti-virus, firewall, etc.). So, WMI tried to fire up those services... and kept trying to, even after McAfee started up.

I noticed that only after I restarted WMI, suddenly in my Win Action Center (Security section), it detected McAfee was running those services for me (not the default Windows services), and POOF, no CPU usage problem.

So, I created a scheduled task definition that simply auto-restarts WMI and its underlying services a few seconds after login. It has to be delayed a bit, because WMI has to actually start up with the "wrong" settings first.

Here is the definition of the task (you'll need to substitute your user name where it's specified).

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2013-12-12T14:04:02.5955723</Date>
    <Author>Angelo B.</Author>
    <Description>Improves CPU usage by WMI</Description>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
      <Delay>PT22S</Delay>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>*ENTER_YOUR_WINDOWS_USER_ACCOUNT_HERE*</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>true</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>net</Command>
      <Arguments>stop "IP Helper"</Arguments>
    </Exec>
    <Exec>
      <Command>net</Command>
      <Arguments>stop "Security Center"</Arguments>
    </Exec>
    <Exec>
      <Command>net</Command>
      <Arguments>stop "Intel(R) Rapid Storage Technology"</Arguments>
    </Exec>
    <Exec>
      <Command>net</Command>
      <Arguments>stop Winmgmt</Arguments>
    </Exec>
    <Exec>
      <Command>net</Command>
      <Arguments>start Winmgmt</Arguments>
    </Exec>
    <Exec>
      <Command>net</Command>
      <Arguments>start "Security Center"</Arguments>
    </Exec>
    <Exec>
      <Command>net</Command>
      <Arguments>start "IP Helper"</Arguments>
    </Exec>
    <Exec>
      <Command>net</Command>
      <Arguments>start "Intel(R) Rapid Storage Technology"</Arguments>
    </Exec>
  </Actions>
</Task>

This now works reliably every time I restart or log in.

Thank You, Michael S [MSFT]. Your post lead me down a twisted path to find this hotfix which alleviated my WmiPrvSE.exe high CPU utilization issue on Windows 2008 R2.

MS Article ID: KB2617858
Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

http://support.microsoft.com/kb/2617858/en-us

• Edited by Vinh Q Nguyen Monday, May 19, 2014 5:54 PM

winmgmt.exe /resetrepository worked like a charm. Thanks! :D

MrMeireles

Hey there,

I have a suspicion that when WMI starts, it's out of sync with other security items installed on Windows like anti-virus, firewalls, etc. What I noticed was, at least in my case, it ran early in the startup process, and didn't detect the presence of my McAfee utilities (anti-virus, firewall, etc.). So, WMI tried to fire up those services... and kept trying to, even after McAfee started up.