Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
3. On the General tab, click the Selective startup option, and then click to clear the Load startup items check box.
(The Use Original Boot.ini check box is unavailable.)
4. On the Services tab, click to select the Hide all Microsoft services check box, and then click Disable all.
Note This step lets Microsoft services continue to run. These services include Networking, Plug and Play, Event Logging,
Error Reporting, and other services. If you disable these services, you may permanently delete all restore points. Do not
do this if you want to use the System Restore utility together with existing restore points.
5. Click OK, and then click Restart.
Solution 3 - Using Netmon to figure out the source of high CPU in WMIprvse.exe
Recently I was working with a customer who had a file server experiencing high CPU in the WMIprvse.exe process. We
received multiple user dumps and noted that someone or something was running the same query again and again. We
needed to figure out what was running the query in a tight loop, causing the high CPU.
At this point I requested user dumps of PID 452 from the customer. This would allow me to determine who was making
the RPC calls to svchost.exe to run the WMI queries. While the customer was uploading the dumps, we decided to get a
Network Monitor trace to see if the RPC calls were coming over the network.
Immediately, I could see a lot of RPC traffic to the svchost.exe process(PID=452).
Figure 2 ] Network Monitor Output from the FileServer. Notice the Source and destination ports and IP addresses. IP
addresses are hidden by the aliases
Looking at the RPC payload, I could see the text of the WMI query. You can see this in the Hex Details Pane. The query
that was running in a loop was Select * from Win32_Process. Looks like I found the source of the WMI queries.
At this point, we got the source IP for the RPC packets. We logged into the machine, and brought up the Task Manager.
Restart the Windows management Instrumentation Service. The dependent services will restart in the proper order
and youll see the CPU go way down to normal levels.
just access your Services program. The easiest way to find is just click Start, type Services, hit Enter. Under Services
(Local), scroll down until you find the Windows Management Instrumentation service and select Restart.
How often has it occurred that you were working on something and suddenly your computer became slow? You opened
task manager to find out the culprit that is hogging your systems CPU cycles. You sorted the processes according to CPU
usage and saw WMIprvse.exe happily sitting at the top.
Before putting the blame on WMIprvse.exe have you ever wondered that it can be that some other application
contracted the WMIprvse.exe to create havoc on your computer? Heres how you can find the culprit which is using
WMIprvse.exe to eat up your system resources.
Open Event viewer (Control Panel\System and Security\Administrative Tools\Event Viewer) and enable Show Analytic
and Debug Logs
Navigate to Application and Services Logs ]> Microsoft ]> Windows ]> WMI]Activity
Right Click on WMI]Activity ]> Trace and select Properties
And now you are all set to trace the path culprit takes.
Lets see how a typical event looks like and try to understand the various fields in the event
GroupOperationID: is a unique identifier that is used for all events reported for a specific client.
OperationId: indicates the operation sequence.
Operation: This will give you the WMI query issued by the client application. In the above example,
CreateInstanceEnum has been issued on the win32_process class.
ClientMachine: Computer name from which the request originated.
User: indicates the account that makes a request to WMI by running a script or through CIM Studio.
ClientProcessId: Process Identifier for the process which issued the WMI query.
NamespaceName: shows the WMI namespace to which the connection is made
(Visit http://msdn.microsoft.com/en]us/library/aa826686(VS.85).aspx for detailed information.)
A quick look up in the task manager for the ClientProcessId will give you the process name against which you might
want to take action to bring your computer back to the normal state.
Hope this will help in finding the real villain!
http://blogs.technet.com/b/askperf/archive/2014/08/11/wm
Windows Management Instrumentation Service (Winmgmt) or WMIprovider (wmiprvse.exe) is consuming high amounts
of memory.
oughts from the EPS Windows Server Performance Team
There are many reasons why WMI might experience high memory consumptions. This can occur in the WMI (Windows
Management Instrumentation) service (winmgmt) or in the WMI provider hosting vehicle wmiprvse.exe. Both scenarios will
be addressed below.
High memory usage may simply be due to load, as opposed to some type of leak. By default, the memory quota limit for
instances of wmiprvse.exe on Windows XP and Windows Server 2003 is 128 MB, and 512 MB on newer Operating Systems
(Vista and higher). Hit those limits and wmi functionality will become problematic if not come to a grinding halt.
There is another case where the quota limit problem could happen. There is limit for all wmiprvses cumulatively. If the
total memory of all instances of wmiprvses (with one exception) together reaches 1GB, then all new memory allocations
fail in all wmiprvse processes.
As a first effort you can try to bump up that quota limit to see if it gives enough room for wmiprvse to operate, but if you
still reach the new quota limit, then you will want to proceed with the Scenarios below
How To Bump up WMI memory quota limit:
Go to Start--> Run and type wbemtest.exe
Click Connect
In the Class Info dialog box enter Superclass Name as "__ProviderHostQuotaConfiguration" (without quotes) and
press OK. Note: the Superclass name includes a double underscore at the front.
In the Object Editor window, double-click whichever Property name you wish to modify the quota for. In this case
that will be MemoryPerHost
In the Value dialog, type in 536870912 (512 MB) for XP and Windows 2003. For Vista and higher, start with new
value of 805306368 (768), then move to 1073741824 (1024) if still needing room. At the same time, if you are
going to bump up the MemoryPerHostLimit, you should also then bump up the MemoryAllHost limit to
2147483648 (2048) provided you have the available ram to do so. If this does not resolve quota violation issue, then
need to troubleshoot cause of high memory usage following below Scenario section
Click Save Property.
Click Save Object.
Close Wbemtest.
Restart the machine
Note: if you cannot restart the machine, then as a workaround, you can break Windows Management Instrumentation
service into its own svchost process outline in step 2. a-c below.
If bumping the quota limits does not resolve the issue, then as workaround you can try to move suspected leaking
providers into their own group (wmiprvse) to avoid the memory quota caused by other providers running in the group or
kill the instance of wmiprvse exhibiting high memory until issue is resolved. This is outlined below in Scenarios 1a and 2a.
First thing we need to determine is if the memory consumption being caused by private data or heap data. We have to
address the 2 types differently.
1. Download a Windows Sysinternals tool call VMMap from following url: http://technet.microsoft.com
/en-us/sysinternals/dd535533.aspx
VMMapis a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual
memory types as well as the amount of physical memory (working set) assigned by the operating system to those types.
This tool is used to attach to an individual process allowing a snapshot to be taken to see the memory map for that
process.
2. Simply launch VMMap and from the process list it displays, pick the instance of wmiprvse showing the
high working set memory usage.
3. If it is a svchost process that is exhibiting high memory, from a command run scqueryex winmgmt to
identify the PID of the svchost process that is hosting WMI Service (winmgmt). From experience it will be the
WMI service more times than not but not always as the service using majority of the memory; as such I
would try to break it out first on its own and monitor to see if it is the one driving up high memory usage in
the shared svchost process.
From this point, I will assume it is the WMI service as this article is only addressing WMI and no other services.
You will need to break the WMI service out into its own svchost process first if it hasnt already been accomplished so you
can run VMMap specifically against the WMI service to truly know if it is being consumed by Heap or Private Data. By
default the WMI service runs in a shared svchost process with a community of other services. You can do so by the
following directions. If it is caused by Heap, you will find later in the Scenario directions below that you will have to go
back and uniquely name the svchost process for the service to run in to be able to enable User Stack Tracingagainst it.
a. Open command prompted with elevated privileges
b. Break wmi service out into its own svchost process by running following command: sc config winmgmt
type= own
c. Restart wmi service with net stop winmgmt and net start winmgmt commands
d. Verify winmgmt service running in its own svchost process by runnning tasklist /svc
4. Once it displays the result, look under the size column for Private Data and Heap. This should tell you if
The Windows Management Instrumentation service runs under the display name of winmgmtand is located in
networking svchost.exe process shared along with several other services. You need to break the WMI service out into its
own unique svchost process for data collection purposes.
NOTE: If you have already broken the WMI service out to run in its own general svchost process following directions at
beginning of this article, then you can skip to step 6 to uniquely name the svchost process it is running in. We do this
because we only want to enable User Stack Tracingagainst just the WMI service and not every svchost process.
1. Open command prompted with elevated privileges
2. Break wmi service out into its own svchost process by running following command: sc config winmgmt type=
own
3. Restart wmi service with net stop winmgmt and net start winmgmt commands
4. Verify winmgmt service running in its own svchost process by runnning tasklist /svc
5. Change command focus to system32 folder and run following command: copy svchost.exe wmisvchost.exe
6. From start run type in regedit and navigate to HKLM\System_CurrentControlSet\Services\Winmgmt
7. Modify existing ImagePath from %systemroot%\system32\svchost.exe -k netsvcs to %systemroot%\system32
\wmisvchost.exe -k netsvcs
Note: It is important that you go back and reverse what you did in step 7 and modify path back to original after
you are no longer needing the service to be broken out and uniquely named as failure to do this can prevent
future WMI hotfixes from being installed.
Simply run following command then restart wmi service: sc config winmgmt type= share
8. Restart wmi service with net stop winmgmt and net start winmgmt commands again
9. Verify you now see wmisvchost.exe process running by running tasklist or looking in task manager at
process list
10. For sake of brevity here, follow steps 4-14 from Scenario 1a with the exception of typing in
wmisvchost.exe in place or wmiprvse.exe for process we are enabling Create user mode stack trace
database against.
11. Here we want to use procdump to dump the wmisvchost.exe process along with every instance of
wmiprvse.exe that is running. Reference steps 9-11 listed in Scenario 1a above.
First command will dump wmisvchost.exe 3 times spaced at 5 minute interval. Once it has completed, and then run second
command to dump out each instance of wmiprvse.exe that is running.
Command for dumping wmisvchost.exe would be: procdump ma -s 300 -n 3 wmisvchost.exe
Command for dumping each instance of wmiprvse just once: procdump ma <PID>
Note: Replace <PID> with actual PID for each instance of wmiprvse.exe
At this point you will now need to open a Support Incident Case with Microsoft to get the process dumps analyzed
to determine cause of high memory usage
Reference this blog when you open the Support Incident Case with Microsoft as it will help the engineer
understand what actions have been taken or followed and will help us track the effectiveness of the blog.
Scenario 2a: High Memory Consumption by Wmiprvse.exe caused by Private Data memory
This scenario is a little bit different than being caused by Heap, as just dumps in of themselves normally do not tell the full
story. In this type of case, we need to know what type of wmi activity is occurring and it becomes significantly harder and
more involved to try and determine cause.
We will need to collect procdumps still, but also need to add in WMI activity logging.
1. From start run type in eventvwr.msc
2. On the View menu at the top select show analytical and debug logs so it displays check mark next to it
3. Expand Applications and Services\Microsoft\Windows\WMI-Activity
Right click on items Debug and Trace and select Enable for each one
4. Download the latest version of the Windows Sysinternals tool Process Explorer
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx.
5. Find the instance of wmiprvse.exe with high memory consumption and right click on it and bring up the
properties sheet. Click on the WMI Providers tab and document the listed providers
Alternatively you could run following wmiccommand from command prompt to get a list of loaded providers and their
associated PID you could then match up to PID with instance of wmiprvse with high
memory usage:
wmic path msft_providers get Provider,HostProcessIdentifier /format:list
6. We now want to take that list of providers and configure them to run in their own instance of
wmiprivse.exe. Open an instance of PowerShell with admin rights
7. Run the following commands: Replace ProviderName below with actual ProviderNamer found from step
9. Collect a network trace for 2 minutes using Network Monitor. Latest version can be found at:
http://www.microsoft.com/en-us/download/details.aspx?id=4865
10. Now save wmi-activity traces in Event Viewer, do so by right clicking on each and select Save all events as
option
At this point you will now need to open a Support Incident Case with Microsoft for data analysis and most likely
After installation has finished, start creating a trace by starting the "Windows Performance Recorder"
3. Open Task Manager and add the PID column view, then go locate the instance of wmiprvse.exe with high
cpu usage and note the PID. If it was the WMI service that had the high cpu, then you should already have it
broken out to run in its own svchost process and note the PID of that svchost process. To confirm you have
the right svchost process, you can run tasklist /svc from administrative command prompt and verify the PID
noted in task manager and ensure it is the svchost process running winmgmt in it.
4. Run the following command: procdump ma -s 60 -n 3 <PID>
Note: Replace <PID> with actual PID you documented for instance of wmiprvse.exe or for the svchost process running
winmgmt exhibiting high memory usage
The above command will produce 3 dumps spaced 1 minute apart each in same directory you ran the procdump
command from
5. Download the latest version of the Windows Sysinternals tool Process Explorer.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
6. If it was wmiprvse.exe that had the high CPU usage, then find the instance and right click on it and bring
up the properties sheet. Click on the WMI Providers tab and document the listed providers
At this point you will now need to open a Support Incident Case with Microsoft to get the data analyzed to
determine cause of high CPU usage.
Please reference this blog and the following TAG when you open the Support Incident Case with Microsoft, as it
will help the engineer understand what actions have been taken or followed and well help us track the
effectiveness of the blog.
TAG = WMITBLOG