Is WMIprvse a real villain?

How often has it occurred that you were working on something and suddenly your computer became slow? You opened task manager to find out the culprit that is hogging your systems CPU cycles. You sorted the processes according to CPU usage and saw WMIprvse.exe happily sitting at the top.

Before putting the blame on WMIprvse.exe have you ever wondered that it can be that some other application contracted the WMIprvse.exe to create havoc on your computer? Here’s how you can find the culprit which is using WMIprvse.exe to eat up your system resources.

Open Event viewer (Control Panel\System and Security\Administrative Tools\Event Viewer) and enable “Show Analytic and Debug Logs”

 

Navigate to Application and Services Logs -> Microsoft -> Windows -> WMI-Activity

Right Click on WMI-Activity -> Trace and select Properties

 

 

Select “Enable Logging”

And now you are all set to trace the path culprit takes.

Let’s see how a typical event looks like and try to understand the various fields in the event

 

GroupOperationID: is a unique identifier that is used for all events reported for a specific client.

OperationId: indicates the operation sequence.

Operation: This will give you the WMI query issued by the client application. In the above example, CreateInstanceEnum has been issued on the win32_process class.

ClientMachine: Computer name from which the request originated.

User: indicates the account that makes a request to WMI by running a script or through CIM Studio.

ClientProcessId: Process Identifier for the process which issued the WMI query.

NamespaceName: shows the WMI namespace to which the connection is made

(Visit https://msdn.microsoft.com/en-us/library/aa826686(VS.85).aspx for detailed information.)

A quick look up in the task manager for the ClientProcessId will give you the process name against which you might want to take action to bring your computer back to the normal state.

 

Hope this will help in finding the real villain!!

Varun Singh

MSFT