Solved WmiPrvSE.exe hogging processor

Hi!
I have an ongoing problem with WmiPrvSE.exe, - every now and again it seems to hog the processor and maxes it out, -when I open the task manager I can see that the processor is running at 100% with WmiPrvSE.exe accounting for the lions share of that. -Its a problem because I can`t run any sort of music program or media player without it pausing in the middle of playing a track or film (it makes a horrendous noise too), its also causing problems with other applications - interrupting their operation. -I sometimes Broadcast to a server and can`t really afford to put up with this problem because its interrupting my programs. - I have had to switch to another windows 7 PC for now or at least until I can cure this problem.
Has anybody else come across this problem and is there a viable fix for it? - I understand that this is a essential windows service and is needed for the anti-virus program (defender), someone suggested to me that a wi-fi driver helper application that uses the service was known to cause this problem, but I am on a wired lan and have disabled the wi-fi, and the problem still occurs .
Anybody?

The process WMIPrvSE.exe is a WMI Provider host. These get created when an application or script running on the machine queries WMI and causes a provider host to be spun up to satisfy the request. If you're seeing lots of activity in wmiprvse.exe processes, you have something (or some things) making heavy use of WMI on your machine.

Is there a pattern at all to when this seems to occur?

Hi, thanks for answering - wasn`t sure where to ask this so thanks for moving it to the right location.

There doesn`t seem to be a regular pattern as such but I would say it does occur every 10 minutes or so on average, - in saying that, there could be a gap of 20 minutes between occurrences or just 5 minutes, it seems quite random.
I have tried disabling things like my Livedrive backup, Dropbox, Skydrive etc and running with nothing showing in the task bar to try to isolate it but so far without success. Whatever I do , it still comes back. I have also run antispyware scans in case it is a Trojan or malware. -I used Superantispyware and malwarebytes. (Nothing found).

You can enable WMI tracing (it's not on by default) by doing the following on Win8:

• Open Event Viewer
• Click View > Show Analytic and Debug Logs
• Browse to Applications and Services Logs > Microsoft > Windows > WMI-Activity
• Right-click on both the "Debug" and "Trace" log options within this folder, and select "Enable Log" for both (the "Operational" log should already be enabled and logging generic events)

Reboot, and after the next time you see high activity in wmiprvse.exe, see if there's any activity in these two newly-enabled logs.

OK, thanks -will give that a try tomorrow, - bit occupied at the moment, -one of my USB external drives is dying (different PC) and I`m transferring what I can to a new one.
Thanks for the help!

Good luck - I'll try to keep an eye on this as I start traveling again tomorrow.

OK started the logging process and almost immediately the processor started maxing out again but on examining the logs I can only see the process cimwill32.dll running at the times of the spikes

Here is an example of the log:-

Log Name: Microsoft-Windows-WMI-Activity/Operational
Source: Microsoft-Windows-WMI-Activity
Date: 12/05/2013 13:43:57
Event ID: 5857
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: LUNA
Description:
CIMWin32 provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4844; ProviderPath = %systemroot%\system32\wbem\cimwin32.dll
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
<EventID>5857</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2013-05-12T12:43:57.281362300Z" />
<EventRecordID>6001</EventRecordID>
<Correlation />
<Execution ProcessID="4844" ThreadID="5072" />
<Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
<Computer>LUNA</Computer>
<Security UserID="S-1-5-20" />
</System>
<UserData>
<Operation_StartedOperational xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
<ProviderName>CIMWin32</ProviderName>
<Code>0x0</Code>
<HostProcess>wmiprvse.exe</HostProcess>
<ProcessID>4844</ProcessID>
<ProviderPath>%systemroot%\system32\wbem\cimwin32.dll</ProviderPath>
</Operation_StartedOperational>
</UserData>
</Event>

-All double dutch to me I`m afraid?

Closing this thread. Still no wiser unfortunately. -Guess I`ll just have to put up with it.

Sorry - been traveling without internet access off and on for the last month. I would recommend running a process monitor log along with this logging and stopping the process monitor logging (file > save) when the issue occurs. Since it's cimwin32, some process is running and querying WMI, but we don't know if it's some new process or if an existing one is doing so, but it's likely calling native classes. A process monitor log should give more insight here.

Have a read of this thread. You may find an answer there.
WmiPrvSE.exe CPU consumption

i also have this problem how can i fix it though

well this is embarasing......

when i did the logiing steps it automaticly dissapeared and k am running as goood as stock :shock:

If you're still having problems, have a look at the link in post #10 (page 1) of this thread, and also here.

Log Name: Microsoft-Windows-WMI-Activity/Trace
Source: Microsoft-Windows-WMI-Activity
Date: 11/12/2013 10:57:01 PM
Event ID: 50
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: idea-PC
Description:
Activity Transfer
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" />
<EventID>50</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2013-11-13T06:57:01.734113400Z" />
<EventRecordID>237</EventRecordID>
<Correlation ActivityID="{1782D085-F6F5-428C-BEBB-F44E890C44DF}" RelatedActivityID="{6854820B-E03D-0001-2582-54683DE0CE01}" />
<Execution ProcessID="604" ThreadID="2600" ProcessorID="1" KernelTime="4" UserTime="7" />
<Channel>Microsoft-Windows-WMI-Activity/Trace</Channel>
<Computer>idea-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
</EventData>
</Event>




this my log can anyone help my wmi is hogging 40% constintly

Hi

Not sure how to enterpret Resource Monitor and "WmiPrvSE.exe" ..... is this normal ?
I'm running w8.1

simrick said:

WmiPrvSE.exe CPU consumption

Click to expand...

, referes (at the bottom) to a hotfix for Windows 2008 R2.
- is this valid for w8.1 ?

-------------------------------------------
Attached are logs

cluberti said:

You can enable WMI tracing (it's not on by default) by doing the following on Win8:

• Open Event Viewer
• Click View > Show Analytic and Debug Logs
• Browse to Applications and Services Logs > Microsoft > Windows > WMI-Activity
• Right-click on both the "Debug" and "Trace" log options within this folder, and select "Enable Log" for both (the "Operational" log should already be enabled and logging generic events)

Reboot, and after the next time you see high activity in wmiprvse.exe, see if there's any activity in these two newly-enabled logs.

Click to expand...

TZres.dll file created over and over again solved

Long story short, I've spent a day investigating the spikes my cpu made at idle (between 4% and 16%, the culprit was tzres.dll accesed by WMI trying to create a file over and over again.

Probable causes I found browsing the internet wirth their solution:

1) Windows Resources Management software - not installed on my system, an official patch exist if you're affected

2) Malware (opencandy, conduit etc...) - use an anti malware program like adwcleaner or hitman pro

3) Temporary solution with no culprit found - restart the Windows Management Instrumentation service, the bad behaviour will come back after reboot

None of these solutions satisfying me, I remembered Antivirus software use the time of your computer in their procedures to weed out malicious programs. TZres.dll dealing with timezones, I decided to investigate and VOILA, the culprit on my system is AVAST ANTIVIRUS.

Uninstalled and the spikes were gone, my cpu stays at about 2 to 3% at about 600 Mhz, perfect for my little atom tablet!

Hope this helps

PS: Installed Panda cloud antivirus and the spikes did not return! It is also supposed to be light on resources and quite effective if you believe the last AV-comparatives test AV-Comparatives Real-World Protection Test » AV-Comparatives

Sysinternals Process Explorer is an excellent utility that can help you track down problem processes and malware. Learning how to use it is key:

https://www.youtube.com/results?search_query=process+explorer

SysInternals Pro: Understanding Process Explorer


Process monitor can be useful also, but there is much more info to wade through, as it monitors registry changes, which can eat up system resources very quickly if you let it run too long. It's general use is to fire it up and start capturing when the problem process starts, stop the capture when you think you've caught it and examine the traces.

SysInternals Pro: Understanding Process Monitor

Chaku01 said:

TZres.dll file created over and over again solved

Long story short, I've spent a day investigating the spikes my cpu made at idle (between 4% and 16%, the culprit was tzres.dll accesed by WMI trying to create a file over and over again.

Click to expand...

I know that this msg is pretty old, but I was wondering how you determined that tzrez.dll was trying to create a file over and over again.

Thx.

P.S. I too am using Panda, Avast sucks!