Is WMIprvse a real villain?


How often has it occurred that you were working on something and suddenly your computer became slow? You opened task manager to find out the culprit that is hogging your systems CPU cycles. You sorted the processes according to CPU usage and saw WMIprvse.exe happily sitting at the top.


Before putting the blame on WMIprvse.exe have you ever wondered that it can be that some other application contracted the WMIprvse.exe to create havoc on your computer? Here’s how you can find the culprit which is using WMIprvse.exe to eat up your system resources.


Open Event viewer (Control Panel\System and Security\Administrative Tools\Event Viewer) and enable “Show Analytic and Debug Logs”



 


Navigate to Application and Services Logs -> Microsoft -> Windows -> WMI-Activity


Right Click on WMI-Activity -> Trace and select Properties


 


 


Select “Enable Logging”




And now you are all set to trace the path culprit takes.


Let’s see how a typical event looks like and try to understand the various fields in the event



 


GroupOperationID: is a unique identifier that is used for all events reported for a specific client.


OperationId: indicates the operation sequence.


Operation: This will give you the WMI query issued by the client application. In the above example, CreateInstanceEnum has been issued on the win32_process class.


ClientMachine: Computer name from which the request originated.


User: indicates the account that makes a request to WMI by running a script or through CIM Studio.


ClientProcessId: Process Identifier for the process which issued the WMI query.


NamespaceName: shows the WMI namespace to which the connection is made


(Visit http://msdn.microsoft.com/en-us/library/aa826686(VS.85).aspx for detailed information.)


A quick look up in the task manager for the ClientProcessId will give you the process name against which you might want to take action to bring your computer back to the normal state.


 


Hope this will help in finding the real villain!!


Varun Singh


MSFT


Comments (45)

  1. Thanks for the tip Varun, but is there a chance to find the real villain in XP too? Usually we use ProcessExplorer and look at the threads wmiprvse is starting but this has one huge disadvantage: it’s realtime only.

  2. someone who complains a lot says:

    What OSes is this tip valid for? When you publish tips like this you should always say what OSes it is valid for. That said, it is very useful, for a few of us anyway.

    Thanks

  3. Tiago says:

    Hi, This worked for me!!!

    I followed the tutorial, and I found out that DChelper.exe from Asus Direct Console 2.0 was causing this issue now I have 1~10% of CPU Usage!

    Thanks a lot!

  4. Confused person says:

    so i followed all of your steps to the part where i enabled logging, then i tried to run the trace, and an error showed up, which didn't let me run the trace properly. please let me know what to do.

  5. Joe K says:

    Thanks, this was pretty darn useful info! It would be nice if they stuck this right in the process monitor. SVCHOST is another one of these proxies… will this work on that too I wonder….

    Cheers.

  6. K says:

    Thanks for the information. iBooty (an application that is used to boot your jailbroken iPhone) was causing the problem for me.

  7. XP user says:

    How would I do this in XP?

    Thanks.

  8. Basileus says:

    Hi,

    Actually I've been looking for a way to bring down wmiprvsrv.exe load for a long time – installed different anti viruses scan, loggers etc. It is your tutorial which helped to pin point a real CPU killer – application from Cisco Pure Networks. Since I am not using it anymore I just removed it (first I stopped its process and it helped) and that just SOLVED THE PROBLEM.

    Thank you very much (even though you probably will not read the comment, your article is like 3 years old already). 😀

  9. Grateful reader says:

    This was of great help, problem was resolved swiftly. Thanks a lot! (Offending application was sidebar.exe, specifically a buggy gadget)

  10. Kitty says:

    cimwin32.dll is causing the problem, and i have no idea if its safe to do anything with. Please help? Google gave me no answers, and i really dont know what to do. I don't wanna kill my computer, and when i googled what it was it said it was my operating system.

    I have windows 8, if that helps.

  11. Dan says:

    cimwin32.dll is the culprit on mine too.  I'm running Windows 7.  It seems to be in some kind of endless loop.  I haven't found any useful or directional answers on Google either for cimwin32.dll.  There are 2 versions running – one that has SYSTEM as the user name and another that has NETWORK SERVICE as the user name.  The NETWORK SERVICE one is the problem.

    An interesting note however – my computer at work also runs Windows 7.  WMIprvse.exe isn't always running on that one.  That computer also has different Microsoft updates.

  12. Nolan says:

    The "Show Analytic and Debug Logs" is grayed out! Help?

  13. mark l says:

    What if my ClientProcessId = 0?   Which it does.

    "GroupOperationId = 360; OperationId = 18424; Operation = Start IWbemServices::ExecQuery – select * from Win32_Process; ClientMachine = Local; User = .SYSTEM; ClientProcessId = 0; NamespaceName = \.rootCIMV2"

    Then what does that mean?

  14. Matt says:

    My report is completely different to the rest of yours…

    "ProviderInfo for GroupOperationId = 118; Operation = Provider::CreateInstanceEnum – CIMWin32 : Win32_Process; HostID = 5804; ProviderName = CIMWin32; ProviderGuid = {d63a5850-8f16-11cf-9f47-00aa00bf345c}; Path = %systemroot%system32wbemcimwin32.dll"

    What does this mean, and how can i sort this annoying problem out?

  15. SteveLee says:

    cimwin32.dll is the Provider that services many of the Win32_* classes in the root/cimv2 namespace.  That by itself is actually not the whole story.  The issue really depends on who is using that provider (for example, if an application is enumerating Win32_Process repeatedly, this would cause wmiprvse.exe to load cimwin32.dll to carry out the request.

  16. RP says:

    Based on another thread I've seen I've used the Windows Services utility (Task Manager-Services-Services-Standard) to stop the Windows Management Instrumentation service, which in turn kills Windows Security Center.  Is there a bug with Security Center?

  17. vincent says:

    I traced it to this. It looks like a Windows process.

    clientProcessId = 1360

    NamespaceName = \.RootMicrosoftHomenet

  18. vincent says:

    issue resolved.  I ran a virus scan.  I had a few viruses.  after deleting the viruses the problem went away.

  19. Pete says:

    Like RP said stopping Windows Management Instrumentation service always takes care of this for me. Is there a fix for that?

  20. Tyson says:

    Well I didn't stop WMI because it stops security center, but I did pause and unpause it. Seemed like the problem disappeared.

  21. Stanley J says:

    I didn't research the problem right away. I just did a System Restore and the problem went away. Hope it does not come back.

  22. Robert says:

    it seems, thebelow process is using high cpu. What is the solution? I see two WMI Prv SE.exe. how is this possible?

    GroupOperationId = 77; OperationId = 164; Operation = Start IWbemServices::GetObject – __Win32Provider.Name="CIMWin32"; ClientMachine = Local; User = .SYSTEM; ClientProcessId = 0; NamespaceName = \.rootCIMV2

  23. nicholas says:

    What if the clientprocessid is 0?

  24. Mistah Poptarts says:

    I was reading the comments and realized I was having the same problem as some here. I figured it out. To get to the part where it tells you the group operation ID and whatnot, you have to close (I said yes to the little window that popped up after I pressed enable, not sure if it helped or not) abd then open WMI-activity. Hope I helped.

  25. elcoyotl says:

    Logging is powerful stuff; I got a nice log.  ClientProcessid = 0. so I'm stuck

  26. Erico says:

    Ping Back OK……..Thank's

    http://j.mp/19vCZgE

  27. Dave says:

    Followed the instructions on Vista Home Premium.  TM shows it running but log shows nothing, ie, no events–blank

  28. Berban says:

    I agree with what Tyson said – pausing and unpausing it seems to handle the problem. I just made a script to do this and set it to run a few minutes after startup.

    net pause Winmgmt

    net continue Winmgmt

  29. Satyajit says:

    Thanks, found the real culprit service & made (rather saved) my day 🙂

  30. Tony says:

    This is all well and good for people that have the smarts to follow all the convoluted instructions here, but what about the people Who don't.. Is there something that I can have my non techie father do who lives 5 hours away that doesn't take a rocket scientist

  31. Adge Cutler says:

    Amazing, helpful post! I had spent hours trying to find out what was eating CPU on one of my servers and found the rogue service in minutes after following these instructions. They couldn't be more simple to follow either..

  32. NessPJ says:

    Can anyone make this into a small tool that just points out the PID (or even better… process/service name) right away?

    I tried folowing the guide, but clearly i'm doing something wrong because ive ended 3 processes and/or uninstalled the software they relied on and the problem still persists.

    Clearly i'm following the wrong process or something…

    Anyone know where i could go for someone creating a tool for this?

  33. dsh4783 says:

    For me the real villain here was 'Comodo System Utilities' – however, this does beg the question of what is wrong with the design of Windows, and why these issues do not exist in the Unix-type operating systems such as OSX, Linux & BSD (which are vastly superior to Windows, much easier to troubleshoot, more stable & reliable, and much more sensible in terms of their fundamental system architecture)

  34. djmtek says:

    So nice to see someone actually explain things rather than just saying "go to the clientprocessid".  Well done Varun!

  35. Anonymous says:

    installed GoPro software. CPU was going to 65% . The ventilator went crazy.  Stopped when killng the init of the GoPro software.

  36. Anonymous says:

    So WMI can be abused by other apps, Villain is still WMI, disable WMI.  Could have been a shorter article.

  37. Anonymous says:

    restarting the wmi service is only a temporary fix.  Each time I restart my computer problem keeps coming back.

  38. Anonymous says:

    thank you very much for changing my scope of conception about this process and its origins.

  39. Anonymous says:

    Good info! Thanks, Varun and the Contributors!

  40. Niels says:

    Thank you for this post, it's been a great help. Had a CPU that was fluctuating from 10% to 100% every 5 seconds on my domain controller.

    Managed to track it down to software another admin had installed called 'Netwrix Account Lockout Examiner' that was running in the background.

  41. Maynard_JK says:

    Thank you, finally I resolved problem with high CPU utilization by WMIprvse.exe, the problem was RescueTime agent who apparently tried to cooperate with WMIprvse.exe.