I am trying to trace down a weird wmiprvse.exe evenlog message which appears exactely five minutes after the system was started, five times. The log entry: ------------ Name der fehlerhaften Anwendung: wmiprvse.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc794 Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7600.16385, Zeitstempel: 0x4a5be02b Ausnahmecode: 0xc0000374 Fehleroffset: 0x00000000000c6cd2 ID des fehlerhaften Prozesses: 0x840 Startzeit der fehlerhaften Anwendung: 0x01cb0370a04eadf4 Pfad der fehlerhaften Anwendung: C:\Windows\system32\wbem\wmiprvse.exe Pfad des fehlerhaften Moduls: C:\Windows\SYSTEM32\ntdll.dll Berichtskennung: e1bce4c2-6f63-11df-b05f-00218562b064 BODY{font:x-small 'Verdana';margin-right:1.5em} .c{cursor:hand} .b{color:red;font-family:'Courier New';font-weight:bold;text-decoration:none} .e{margin-left:1em;text-indent:-1em;margin-right:1em} .k{margin-left:1em;text-indent:-1em;margin-right:1em} .t{color:#990000} .xt{color:#990099} .ns{color:red} .dt{color:green} .m{color:blue} .tx{font-weight:bold} .db{text-indent:0px;margin-left:1em;margin-top:0px;margin-bottom:0px;padding-left:.3em;border-left:1px solid #CCCCCC;font:small Courier} .di{font:small Courier} .d{color:blue} .pi{color:blue} .cb{text-indent:0px;margin-left:1em;margin-top:0px;margin-bottom:0px;padding-left:.3em;font:small Courier;color:#888888} .ci{font:small Courier;color:#888888} PRE{margin:0px;display:inline} <script><!-- function f(e){ if (e.className=="ci"){if (e.children(0).innerText.indexOf("\n")>0) fix(e,"cb");} if (e.className=="di"){if (e.children(0).innerText.indexOf("\n")>0) fix(e,"db");} e.id=""; } function fix(e,cl){ e.className=cl; e.style.display="block"; j=e.parentElement.children(0); j.className="c"; k=j.children(0); k.style.visibility="visible"; k.href="#"; } function ch(e){ mark=e.children(0).children(0); if (mark.innerText=="+"){ mark.innerText="-"; for (var i=1;i<e.children.length;i++) e.children(i).style.display="block"; } else if (mark.innerText=="-"){ mark.innerText="+"; for (var i=1;i<e.children.length;i++) e.children(i).style.display="none"; }} function ch2(e){ mark=e.children(0).children(0); contents=e.children(1); if (mark.innerText=="+"){ mark.innerText="-"; if (contents.className=="db"||contents.className=="cb") contents.style.display="block"; else contents.style.display="inline"; } else if (mark.innerText=="-"){ mark.innerText="+"; contents.style.display="none"; }} function cl(){ e=window.event.srcElement; if (e.className!="c"){e=e.parentElement;if (e.className!="c"){return;}} e=e.parentElement; if (e.className=="e") ch(e); if (e.className=="k") ch2(e); } function ex(){} function h(){window.status=" ";} document.onclick=cl; --></script> - < Event xmlns =" http://schemas.microsoft.com/win/2004/08/events/event " > - < System > < Provider Name =" Application Error " /> < EventID Qualifiers =" 0 " > 1000 </ EventID > < Level > 2 </ Level > < Task > 100 </ Task > < Keywords > 0x80000000000000 </ Keywords > < TimeCreated SystemTime =" 2010-06-03T23:00:49.000000000Z " /> < EventRecordID > 19732 </ EventRecordID > < Channel > Application </ Channel > < Computer > JOU-PC </ Computer > < Security /> </ System > - < EventData > < Data > wmiprvse.exe </ Data > < Data > 6.1.7600.16385 </ Data > < Data > 4a5bc794 </ Data > < Data > ntdll.dll </ Data > < Data > 6.1.7600.16385 </ Data > < Data > 4a5be02b </ Data > < Data > c0000374 </ Data > < Data > 00000000000c6cd2 </ Data > < Data > 6b8 </ Data > < Data > 01cb03709643dfcf </ Data > < Data > C:\Windows\system32\wbem\wmiprvse.exe </ Data > < Data > C:\Windows\SYSTEM32\ntdll.dll </ Data > < Data > d9a134d5-6f63-11df-b05f-00218562b064 </ Data > </ EventData > </ Event > ------------ Those five events steal always the application focus, if a game is running full screen it will make a switch to the desktop. If I type in an application like notepad some keystrokes get lost. With alt-space I can see there is some kind of invisible window or message for a few seconds in the middle of the screen since I get the menu you get in every app when hitting alt-space. A few seconds after those events following events appear 2 times: ------- BODY{font:x-small 'Verdana';margin-right:1.5em} .c{cursor:hand} .b{color:red;font-family:'Courier New';font-weight:bold;text-decoration:none} .e{margin-left:1em;text-indent:-1em;margin-right:1em} .k{margin-left:1em;text-indent:-1em;margin-right:1em} .t{color:#990000} .xt{color:#990099} .ns{color:red} .dt{color:green} .m{color:blue} .tx{font-weight:bold} .db{text-indent:0px;margin-left:1em;margin-top:0px;margin-bottom:0px;padding-left:.3em;border-left:1px solid #CCCCCC;font:small Courier} .di{font:small Courier} .d{color:blue} .pi{color:blue} .cb{text-indent:0px;margin-left:1em;margin-top:0px;margin-bottom:0px;padding-left:.3em;font:small Courier;color:#888888} .ci{font:small Courier;color:#888888} PRE{margin:0px;display:inline} <script><!-- function f(e){ if (e.className=="ci"){if (e.children(0).innerText.indexOf("\n")>0) fix(e,"cb");} if (e.className=="di"){if (e.children(0).innerText.indexOf("\n")>0) fix(e,"db");} e.id=""; } function fix(e,cl){ e.className=cl; e.style.display="block"; j=e.parentElement.children(0); j.className="c"; k=j.children(0); k.style.visibility="visible"; k.href="#"; } function ch(e){ mark=e.children(0).children(0); if (mark.innerText=="+"){ mark.innerText="-"; for (var i=1;i<e.children.length;i++) e.children(i).style.display="block"; } else if (mark.innerText=="-"){ mark.innerText="+"; for (var i=1;i<e.children.length;i++) e.children(i).style.display="none"; }} function ch2(e){ mark=e.children(0).children(0); contents=e.children(1); if (mark.innerText=="+"){ mark.innerText="-"; if (contents.className=="db"||contents.className=="cb") contents.style.display="block"; else contents.style.display="inline"; } else if (mark.innerText=="-"){ mark.innerText="+"; contents.style.display="none"; }} function cl(){ e=window.event.srcElement; if (e.className!="c"){e=e.parentElement;if (e.className!="c"){return;}} e=e.parentElement; if (e.className=="e") ch(e); if (e.className=="k") ch2(e); } function ex(){} function h(){window.status=" ";} document.onclick=cl; --></script> - < Event xmlns =" http://schemas.microsoft.com/win/2004/08/events/event " > - < System > < Provider Name =" Microsoft-Windows-LoadPerf " Guid =" {122EE297-BB47-41AE-B265-1CA8D1886D40} " /> < EventID > 3012 </ EventID > < Version > 0 </ Version > < Level > 2 </ Level > < Task > 0 </ Task > < Opcode > 0 </ Opcode > < Keywords > 0x8000000000000000 </ Keywords > < TimeCreated SystemTime =" 2010-06-03T23:01:33.674312200Z " /> < EventRecordID > 19747 </ EventRecordID > < Correlation /> < Execution ProcessID =" 1576 " ThreadID =" 1668 " /> < Channel > Application </ Channel > < Computer > JOU-PC </ Computer > < Security UserID =" S-1-5-18 " /> </ System > - < UserData > - < EventXML xmlns:auto-ns2 =" http://schemas.microsoft.com/win/2004/08/events " xmlns =" LoadPerf " > < param1 > Performance </ param1 > < binaryDataSize > 16 </ binaryDataSize > < binaryData > 37070000000000000000000009030000 </ binaryData > </ EventXML > </ UserData > </ Event > ------------ one time: ------------ Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren für Dienst "WmiApRpl" (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren für Dienst "WmiApRpl" (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.BODY{font:x-small 'Verdana';margin-right:1.5em} .c{cursor:hand} .b{color:red;font-family:'Courier New';font-weight:bold;text-decoration:none} .e{margin-left:1em;text-indent:-1em;margin-right:1em} .k{margin-left:1em;text-indent:-1em;margin-right:1em} .t{color:#990000} .xt{color:#990099} .ns{color:red} .dt{color:green} .m{color:blue} .tx{font-weight:bold} .db{text-indent:0px;margin-left:1em;margin-top:0px;margin-bottom:0px;padding-left:.3em;border-left:1px solid #CCCCCC;font:small Courier} .di{font:small Courier} .d{color:blue} .pi{color:blue} .cb{text-indent:0px;margin-left:1em;margin-top:0px;margin-bottom:0px;padding-left:.3em;font:small Courier;color:#888888} .ci{font:small Courier;color:#888888} PRE{margin:0px;display:inline} <script><!-- function f(e){ if (e.className=="ci"){if (e.children(0).innerText.indexOf("\n")>0) fix(e,"cb");} if (e.className=="di"){if (e.children(0).innerText.indexOf("\n")>0) fix(e,"db");} e.id=""; } function fix(e,cl){ e.className=cl; e.style.display="block"; j=e.parentElement.children(0); j.className="c"; k=j.children(0); k.style.visibility="visible"; k.href="#"; } function ch(e){ mark=e.children(0).children(0); if (mark.innerText=="+"){ mark.innerText="-"; for (var i=1;i<e.children.length;i++) e.children(i).style.display="block"; } else if (mark.innerText=="-"){ mark.innerText="+"; for (var i=1;i<e.children.length;i++) e.children(i).style.display="none"; }} function ch2(e){ mark=e.children(0).children(0); contents=e.children(1); if (mark.innerText=="+"){ mark.innerText="-"; if (contents.className=="db"||contents.className=="cb") contents.style.display="block"; else contents.style.display="inline"; } else if (mark.innerText=="-"){ mark.innerText="+"; contents.style.display="none"; }} function cl(){ e=window.event.srcElement; if (e.className!="c"){e=e.parentElement;if (e.className!="c"){return;}} e=e.parentElement; if (e.className=="e") ch(e); if (e.className=="k") ch2(e); } function ex(){} function h(){window.status=" ";} document.onclick=cl; --></script> - < Event xmlns =" http://schemas.microsoft.com/win/2004/08/events/event " > - < System > < Provider Name =" Microsoft-Windows-LoadPerf " Guid =" {122EE297-BB47-41AE-B265-1CA8D1886D40} " /> < EventID > 3011 </ EventID > < Version > 0 </ Version > < Level > 2 </ Level > < Task > 0 </ Task > < Opcode > 0 </ Opcode > < Keywords > 0x8000000000000000 </ Keywords > < TimeCreated SystemTime =" 2010-06-03T23:01:33.705512300Z " /> < EventRecordID > 19749 </ EventRecordID > < Correlation /> < Execution ProcessID =" 1576 " ThreadID =" 1668 " /> < Channel > Application </ Channel > < Computer > JOU-PC </ Computer > < Security UserID =" S-1-5-18 " /> </ System > - < UserData > - < EventXML xmlns:auto-ns2 =" http://schemas.microsoft.com/win/2004/08/events " xmlns =" LoadPerf " > < param1 > WmiApRpl </ param1 > < param2 > WmiApRpl </ param2 > < binaryDataSize > 8 </ binaryDataSize > < binaryData > F20300004D070000 </ binaryData > </ EventXML > </ UserData > </ Event > ------------ Ruled out: Antivirus, Daemon tools etc etc, a lot of programs which are uninstalled right now. sfc /scannow finds nothing wrong. I activated WMI logging, http://blogs.technet.com/b/askperf/archive/2008/03/04/wmi-debug-logging.aspx - but absolutely no event logged there matches the time those events appear. Doing those command line wmi checks as described in http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/9b009617-9c2f-4a50-96f2-3b831ca152a1 showed everything OK. Going through the scheduler checking all defined tasks (including those many from Microsoft), but none matches "five minutes after system start"

Can you check the running state of the Windows Management Instrumentation service? When those errors occur, does the running state change?

Can you check the running state of the Windows Management Instrumentation service? When those errors occur, does the running state change? State: Running. State during that effect: does not change, stays on running. The service config is set so that it only tries to restart twice upon error, not 5 times.

Please verify that various WMI namespaces can be connected to, then update WMI on all involved Windows 2008 machines. 954563 Memory corruption may occur with the Windows Management Instrumentation (WMI) service on a computer that is running Windows Server 2008 or Windows Vista Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;EN-US;954563 Triple wrong, first I did that checks as noted in my post and everything is fine. I do not have Hyper-V issues. You point to Vista/Server2008 updates, I am running Windows 7, on Windows 7 requires KB981314 which I already installed, and KB974930 which cannot be applied since it is not Server 2008 R2 with Hyper-V. Thanks for trying though.

Gotcha ! At least a part of it. Windows Error Reporting causes the WMI crash log entry. Setting the service to "disabled" clears up the the errors, the effect does not reappear. However I don't like the service to be disabled. We will see what I discover during digging on, I know that WER is the cause for WMI crash, but WER itself seems to work, I can see it delivering error reports. If anyone has hints please tell.