none
WmiPrvSE.exe CPU consumption

    Question

  • Hi,

    I was wondering if there is some way resolve the issue of WmiPrvSE.exe consuming from 4-6 percent of my CPU constantly?  I have a new installation of Windows 2008 Enterprise running on a Quad Core with 4GB ram and the Windows Management Instrumentation will not settle down.

    I have another 2008 installation that does not exhibit this behavior.  What might be causing this process to consume my CPU?  I have tried disabling various services to no avail.  Is there a specific service or role that can cause this?  Any way to dig in on what's running in the process?

    Thanks!

    ---UPDATE---

    I downloaded Process Monitor from Sys Internals and I am seeing that wmiprvse.exe is running a CreateFile process on C:\WIndows\System32\tzres.dll over and over constantly.

    Code Snippet

    1115321    10:20:34.5323064 PM    wmiprvse.exe    2724    CloseFile    C:\Windows\System32\tzres.dll    SUCCESS   
    1115324    10:20:34.5324188 PM    wmiprvse.exe    2724    QueryStandardInformationFile    C:\Windows\System32\tzres.dll    SUCCESS    AllocationSize: 4,096, EndOfFile: 2,048, NumberOfLinks: 1, DeletePending: False, Directory: False
    1115328    10:20:34.5325959 PM    wmiprvse.exe    2724    CloseFile    C:\Windows\System32\tzres.dll    SUCCESS   
    1115329    10:20:34.5326125 PM    wmiprvse.exe    2724    CreateFile    C:\Windows\System32\en-US\tzres.dll.mui    SUCCESS    Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
    1115332    10:20:34.5327013 PM    wmiprvse.exe    2724    QueryStandardInformationFile    C:\Windows\System32\en-US\tzres.dll.mui    SUCCESS    AllocationSize: 20,480, EndOfFile: 18,944, NumberOfLinks: 2, DeletePending: False, Directory: False
    1115336    10:20:34.5333601 PM    wmiprvse.exe    2724    QueryOpen    C:\Windows\System32\tzres.dll    FAST IO DISALLOWED   
    1115337    10:20:34.5336879 PM    wmiprvse.exe    2724    CloseFile    C:\Windows\System32\en-US\tzres.dll.mui    SUCCESS   
    1115339    10:20:34.5340095 PM    wmiprvse.exe    2724    CreateFile    C:\Windows\System32\tzres.dll    SUCCESS    Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
    1115340    10:20:34.5340912 PM    wmiprvse.exe    2724    QueryBasicInformationFile    C:\Windows\System32\tzres.dll    SUCCESS    CreationTime: 1/18/2008 10:59:11 PM, LastAccessTime: 1/19/2008 2:24:58 AM, LastWriteTime: 11/2/2006 12:05:07 AM, ChangeTime: 3/5/2008 2:29:13 PM, FileAttributes: A
    1115341    10:20:34.5341305 PM    wmiprvse.exe    2724    CloseFile    C:\Windows\System32\tzres.dll    SUCCESS   
    1115343    10:20:34.5341950 PM    wmiprvse.exe    2724    QueryOpen    C:\Windows\System32\tzres.dll    FAST IO DISALLOWED   
    1115344    10:20:34.5345423 PM    wmiprvse.exe    2724    CreateFile    C:\Windows\System32\tzres.dll    SUCCESS    Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
    1115345    10:20:34.5345949 PM    wmiprvse.exe    2724    QueryBasicInformationFile    C:\Windows\System32\tzres.dll    SUCCESS    CreationTime: 1/18/2008 10:59:11 PM, LastAccessTime: 1/19/2008 2:24:58 AM, LastWriteTime: 11/2/2006 12:05:07 AM, ChangeTime: 3/5/2008 2:29:13 PM, FileAttributes: A
    1115346    10:20:34.5346293 PM    wmiprvse.exe    2724    CloseFile    C:\Windows\System32\tzres.dll    SUCCESS   
    1115348    10:20:34.5346913 PM    wmiprvse.exe    2724    CreateFile    C:\Windows\System32\tzres.dll    SUCCESS    Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
    1115350    10:20:34.5347922 PM    wmiprvse.exe    2724    QueryStandardInformationFile    C:\Windows\System32\tzres.dll    SUCCESS    AllocationSize: 4,096, EndOfFile: 2,048, NumberOfLinks: 1, DeletePending: False, Directory: False
    1115352    10:20:34.5348427 PM    wmiprvse.exe    2724    CreateFile    C:\Windows\System32\tzres.dll    SUCCESS    Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
    1115356    10:20:34.5349242 PM    wmiprvse.exe    2724    QueryStandardInformationFile    C:\Windows\System32\tzres.dll    SUCCESS    AllocationSize: 4,096, EndOfFile: 2,048, NumberOfLinks: 1, DeletePending: False, Directory: False
    1115357    10:20:34.5351181 PM    wmiprvse.exe    2724    CloseFile    C:\Windows\System32\tzres.dll    SUCCESS   
    1115362    10:20:34.5353233 PM    wmiprvse.exe    2724    CloseFile    C:\Windows\System32\tzres.dll    SUCCESS   
    1115364    10:20:34.5360080 PM    wmiprvse.exe    2724    QueryOpen    C:\Windows\System32\tzres.dll    FAST IO DISALLOWED   
    1115365    10:20:34.5360208 PM    wmiprvse.exe    2724    CreateFile    C:\Windows\System32\en-US\tzres.dll.mui    SUCCESS    Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
    1115367    10:20:34.5362581 PM    wmiprvse.exe    2724    QueryStandardInformationFile    C:\Windows\System32\en-US\tzres.dll.mui    SUCCESS    AllocationSize: 20,480, EndOfFile: 18,944, NumberOfLinks: 2, DeletePending: False, Directory: False
    1115368    10:20:34.5362947 PM    wmiprvse.exe    2724    CreateFile    C:\Windows\System32\tzres.dll    SUCCESS    Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
    1115371    10:20:34.5363607 PM    wmiprvse.exe    2724    QueryBasicInformationFile    C:\Windows\System32\tzres.dll    SUCCESS    CreationTime: 1/18/2008 10:59:11 PM, LastAccessTime: 1/19/2008 2:24:58 AM, LastWriteTime: 11/2/2006 12:05:07 AM, ChangeTime: 3/5/2008 2:29:13 PM, FileAttributes: A
    1115373    10:20:34.5363872 PM    wmiprvse.exe    2724    CloseFile    C:\Windows\System32\tzres.dll    SUCCESS   
    1115375    10:20:34.5364900 PM    wmiprvse.exe    2724    CloseFile    C:\Windows\System32\en-US\tzres.dll.mui    SUCCESS   
    1115377    10:20:34.5366723 PM    wmiprvse.exe    2724    CreateFile    C:\Windows\System32\tzres.dll    SUCCESS    Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
    1115320    10:20:34.5322271 PM    wmiprvse.exe    2724    CreateFile    C:\Windows\System32\tzres.dll    SUCCESS    Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened


    Saturday, March 15, 2008 5:12 AM

Answers

  • Hi Tomas,

     

    Generally speaking, it is quite normal that the WmiPrvSE process cost 4-6 percent of CPU consumption when a specific software requires its facilities.

     

    The WmiPrvSE.exe is a host process for WMI provider services.WMI provider services were loaded in-process with the WMI Service (a new request to WMI would restart the WMI Service). This is an essential service which will start whenever a specific piece of software requires its facilities.

     

    You may check with the 2 different Windows Server 2008 operation system, and see if they are installed with different roles or features or other third party appliction. You may also disable all the third party application on the server to see if the issue will be reoccur.

     

    Hope it helps.

    Wednesday, March 19, 2008 1:27 PM

All replies

  • Hi Tomas,

     

    Generally speaking, it is quite normal that the WmiPrvSE process cost 4-6 percent of CPU consumption when a specific software requires its facilities.

     

    The WmiPrvSE.exe is a host process for WMI provider services.WMI provider services were loaded in-process with the WMI Service (a new request to WMI would restart the WMI Service). This is an essential service which will start whenever a specific piece of software requires its facilities.

     

    You may check with the 2 different Windows Server 2008 operation system, and see if they are installed with different roles or features or other third party appliction. You may also disable all the third party application on the server to see if the issue will be reoccur.

     

    Hope it helps.

    Wednesday, March 19, 2008 1:27 PM
  •  

    I just installed my first 2008 Ent server and I am seeing the same thing, except the utilization is consistently between 10-20%. That seems a bit high to me. I do have IIS, Terminal Services and Deployment Services on this box. Any way to throttle this? Just start disabling services until it stops consuming resources?
    Wednesday, April 02, 2008 11:00 PM
  •  

    Did you install the Feature: "Windows System Resource Manager"?

     

    When I enabled this feature, the CPU went up on the wmiprvse process. (and stopped when i removed the feature).

    Thursday, April 03, 2008 10:13 AM
  • It can also be that WMI Queries are running remotely.
    www.infotechguyz.com - Server 2008, Exchange 2007 Tutorials
    Wednesday, July 09, 2008 7:16 PM
  • I had the same issue of wmiprvse.exe constantly accessing tzres.dll. Removing/Uninstalling Windows System Resource Manager seems to have done the trick for me.
    Friday, October 03, 2008 6:38 PM
  • Sorry to bring this thread back from the grave, but this is exactly what I am seeing.  wmiprvse.exe seems very very intrested in creating and querying this tzres.dll and tzres.dll.mui files so much so that it consumes about 50% (1 CPU) worth of processing time.  It is clearly tied to the "Windows System Resource Manager" and removing this does resolve the issue, but it returns as soon as it is reinstalled.  This is just shy of a clean install of Windows Server 2008 so it is hard to imagine what has set this process into such a tizzy, but thought I would see if there were any new developments in a possible resolution.

    Mia
    Friday, January 16, 2009 11:38 PM
  • We are seeing the same thing on all seven of our Windows Server 2008 Enterprise x64 terminal servers with WSRM installed and active. 

    Does anyone know what tzres.dll is?
    • Proposed as answer by Mulb Monday, March 30, 2009 7:22 PM
    Tuesday, February 10, 2009 3:59 PM
  • Okay so tzred.dll is related to Time Zones.

    Why would WSRM be trying to create this file over and over again?
    Tuesday, February 10, 2009 4:12 PM
  • In ProcessExplorer I am seeing two instances of WmiPrvSE.exe.

    Looking at the properties of both there seems to be a pretty big difference in the resources each instance has been using:

    WmiPrvSE.exe Properties

    Instance 1

    Instance 2


    CPU

     Priority                            
      Kernel Time                   
      User Time                  
      Total Time
      Cycles



    8
    0:00:01.575
    0:00:04.758
    0:00:06.33
    17,296,920,576



    8
    48:16:30.371
    10:42:54.538
    58:59:24.910
    567,454,961,733,880


    Virtual Memory

      Private Bytes
      Peak Private Bytes
      Virtual Size
      Page Faults
      Page Fault Delta



    23,224 K
    24,996 K
    96,368 K
    15,263
    0



    20,676 K
    24,128 K
    94,852 K
    694,482,409
    2,979


    Physical Memory

      Memory Priority
      Working Set
        WS Private
        WS Shareable
        WS Shared
      Peak Working Set



    5
    28,544 K
    21,856 K
    6,688 K
    6,024 K
    30,596



    5
    26,436 K
    18,692 K
    7,744 K
    6,748 K
    29,624 K


    I/O

      I/O Priority
      Reads
      Read Delta
      Read Bytes Delta
      Writes
      Write Delta
      Write Bytes Delta
      Other
      Other Delta
      Other Bytes Delta



    Normal
    1,137
    0
    0
    1,221
    0
    0
    2,906
    0
    0



    Normal
    2,535,055
    8
    448 B
    2,536,069
    8
    752 B
    6,240,561,542
    26,644
    23.1 KB


    Handles    
                    
      Handles                    
      GDI Handles            
      USER Handles            



    153
    0
    0



    269
    0
    0

    The second instance has used more CPU time than *any* other process - surely that cannot be right?

    PS:  The server has only been up for ~130hrs. 

    • Edited by Luke Maslany Tuesday, February 10, 2009 5:10 PM Added uptime
    Tuesday, February 10, 2009 5:03 PM
  • Also seeing the same thing on a newly installed VM of 2008 x64 Std with RC of SP2.  Only thing that has been done to the install is added Terminal Services role and WSRM.  If I turn off the Windows Resource Manager service WmiPrvse process stops spiking the CPU.
    • Proposed as answer by kev4570 Monday, April 21, 2014 7:43 PM
    Wednesday, March 11, 2009 9:41 PM
  • So what is solution anyway? I'm using Windows Server 2008 on my VM and getting the same problem!
    Friday, March 27, 2009 12:22 PM
  • I have the same problem with WmiPrvSE.exe and  tzres.dll/tzres.dll.mui. WmiPrvSE.exe suddenly starts consuming about 50% of the processing time.
    I'm running an Intel DualCore, 2 GB RAM, Vista Ultimate SP2 RC and i think i have no WSRM installed ...
    Thanx!
    Monday, March 30, 2009 7:33 PM
  • I'm having the wmiprvse cpu consumption issue as well, except mine goes to 100%.  Specifically, it is continuouly performing a QueryStandardInformationFile operation against C:\Windows\System32\Spool\Drivers\w32x86\3\hplt8m2.dat, which is a file for an HP Designjet 800.  It alternates on occasion by doing the same operation against hplt5m4.dat, which belongs to an HP Designjet 500.

    "Process Name","PID","Operation","Path","Result","Detail","Sequence","TID","Category","Time of Day"

     

    "wmiprvse.exe","2652","Process Profiling","","SUCCESS","User Time: 24369.8125000, Kernel Time: 304590.4687500, Private Bytes: 9,588,736, Working Set: 13,250,560","n/a","1832","","5:05:04.2801934 PM"

    "wmiprvse.exe","2652","QueryStandardInformationFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\hplt8m2.dat","SUCCESS","AllocationSize: 172,032, EndOfFile: 170,042, NumberOfLinks: 1, DeletePending: False, Directory: False","n/a","1400","Read Metadata","5:05:04.2854198 PM"

    "wmiprvse.exe","2652","QueryStandardInformationFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\hplt8m2.dat","SUCCESS","AllocationSize: 172,032, EndOfFile: 170,042, NumberOfLinks: 1, DeletePending: False, Directory: False","n/a","1520","Read Metadata","5:05:04.2864111 PM"

    "wmiprvse.exe","2652","QueryStandardInformationFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\hplt8m2.dat","SUCCESS","AllocationSize: 172,032, EndOfFile: 170,042, NumberOfLinks: 1, DeletePending: False, Directory: False","n/a","1400","Read Metadata","5:05:04.2865925 PM"

    "wmiprvse.exe","2652","QueryStandardInformationFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\hplt8m2.dat","SUCCESS","AllocationSize: 172,032, EndOfFile: 170,042, NumberOfLinks: 1, DeletePending: False, Directory: False","n/a","1400","Read Metadata","5:05:04.2871798 PM"

    Monday, April 13, 2009 5:45 PM
  • I have a related problem with a memory leak eminating from services.exe at the same time wmiprvse.exe is the top page faulter.  We do have a lot of stuff running that uses the WMI services.

    This system is a 64 bit Windows 2003 R2 SP2 Domain Controller.  It has 8 GB memory, and with nothing much going on the page file will grow in a matter of a few days to over 8 GB in size.  Just before the last interventional reboot, the page file was 8.68 GB, with services.exe using 7 GB of memory.
    Friday, June 12, 2009 8:02 PM
  • Not sure if this is valid for your case but mine was caused by lingering HyperV extensions. I had a Windows Server 2008 SP2 virtual machine and it had HyperV Windows Services running even though the extensions had been uninstalled. I disabled about 3 HyperV services and my machine was back to normal.

    Patrick
    Patrick Parker
    Tuesday, July 14, 2009 10:44 PM
  • Is there any kind of a workaround for the WMIPrvSE issue (WSRM caused) that does not require removing WSRM?

    I'm guessing this affects 100% of Server 2008 WSRM users, it's just a matter of whether or not the sysadmins have noticed it.  I'm trying to propose Server 2008 RemoteApp TS to a couple of clients and I can't be giving away this much CPU.
    James
    Wednesday, July 15, 2009 2:51 PM
  • Same problem here (WSRM).

    Any solution yet that desn't involve unistalling WSRM?

    Thx

    Filippo
    Tuesday, September 15, 2009 10:13 PM
  • Hi,

    I just searched for WSRM and WmiPsrvSE.exe and found this KBase entry:
    http://support.microsoft.com/kb/970067/en-us

    I have installed the hotfix on two different 2008 termnal servers, and so far the CPU usage is gone.

    Frank
    Friday, September 18, 2009 4:55 PM
  • @FHofmann77

    hi,

    did you make any configuration changes after you installed the patch or did it run just as installed? We were also experiencing such problems mit a w2008 terminal server, at the moment the feature is uninstalled.

    thanks in advance

    marco

    Tuesday, June 08, 2010 10:41 AM
  • The network seems to be running mine. What's it Doing?

    Renee


    "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me
    Sunday, November 20, 2011 6:04 AM
  • same here only mine was running at 40-50%..

     

    uninstalled CPU meter and Network meter gadgets from sidebar, and it went to 0% immediately.

    Monday, February 06, 2012 4:13 PM
  • Hello All,

    WMIPRVSE.EXE is a WMI Provider Host kind of like svchost.exe, meaning that its essentially a shell. There are lots of different types of WMI providers and what they do is left up to the developer. Some may provide information about a custom application or assist in reporting information about a piece of hardware.

    If you are interested in understanding why wmiprvse.exe may be consuming resources such as cpu on your system, you first need to find out what providers are running inside of that instance of wmiprvse.exe.

    Assuming you know which PID is consuming lots of cpu, start by getting a list of PID's running wmiprvse.exe by running this a command prompt:

    tasklist /fi "imagename eq wmiprvse.exe"

    This should show a table similar to this:

    Image Name                     PID Session Name        Session#    Mem Usage
    ========================= ======== ================ =========== ============
    WmiPrvSE.exe                1716 Services                   0      7,240 K

    Next we need to list all of our WMI providers and see which PID they are hosted in.

    C:\Windows\System32>wmic path msft_providers get hostinggroup,hostprocessidentifier,namespace,provider,user /format:list

    Note the HostProcessIdentifier as it is the PID of an instance of wmiprvse.exe

    HostingGroup=DefaultNetworkServiceHost
    HostProcessIdentifier=1716
    Namespace=root\CIMV2
    provider=CIMWin32 <-- Name of the provider. There are providers for different types of software such as Exchange, MS SQL. etc etc
    User=

    Here we can see that Process 1716 is hosting the CIMWin32 Provider. Its reponsible for providing access to all of the Win32 classes such as Win32_ComputerSystem or Win32_QuickFixEngineering. Sometimes you are going to see that mulitple providers are being hosted under the same instance of wmiprvse.exe. When this happens you will need to narrow your scope even further by using Process Exporer and examining the stack to see which DLL(Provider) is responsible for the high cpu.

    Hope this helps you track down you wmiprvse.exe high cpu issues!


    Michael. [MSFT]

    Wednesday, February 08, 2012 2:58 AM
  • I'll say this: any resort to WMI will be 1.) slow 2.) ineffecient Cpu wise and 3.) highy consumptive of memory. I wouldn't advise using it.

    Renee


    "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me

    Wednesday, February 08, 2012 4:23 AM
  • That's a pretty broad brush to paint "WMI" with. Its "speed" or "cpu" or "memory" usuage is up to the developer writing the provider.

    In most management scenarios it makes sense to use WMI instead of trying to reinvent the wheel.


    Michael. [MSFT]

    Wednesday, February 08, 2012 11:41 PM
  • C:\Windows\System32>wmic path msft_providers get hostinggroup,hostprocessidentifier,namespace,provider,user /format:list

    Note the HostProcessIdentifier as it is the PID of an instance of wmiprvse.exe

    HostingGroup=DefaultNetworkServiceHost
    HostProcessIdentifier=1716
    Namespace=root\CIMV2
    provider=CIMWin32 <-- Name of the provider. There are providers for different types of software such as Exchange, MS SQL. etc etc
    User=

    Here we can see that Process 1716 is hosting the CIMWin32 Provider. Its reponsible for providing access to all of the Win32 classes such as Win32_ComputerSystem or Win32_QuickFixEngineering. Sometimes you are going to see that mulitple providers are being hosted under the same instance of wmiprvse.exe. When this happens you will need to narrow your scope even further by using Process Exporer and examining the stack to see which DLL(Provider) is responsible for the high cpu.

    Hope this helps you track down you wmiprvse.exe high cpu issues!


    Michael. [MSFT]

    If I run "wmic path msft_providers" with any of the 'get' parameters I receive the following error:

    "ERROR:
    Code = 0x80041009
    Description = Not available
    Facility = WMI"

    I've tried this from several machines with same error result.
    Wednesday, March 07, 2012 3:36 PM
  • Hi Michael,

    I followed your steps and I got this:

    Image Name                     PID Session Name        Session#    Mem Usage
    ========================= ======== ================ =========== ============
    WmiPrvSE.exe                  2404                            0     36,184 K

    HostingGroup=DefaultNetworkServiceHost
    HostProcessIdentifier=2404
    Namespace=root\CIMV2
    provider=CIMWin32
    User=

    HostingGroup=DefaultNetworkServiceHost
    HostProcessIdentifier=2404
    Namespace=root\CIMV2
    provider=Win32_WIN32_TERMINALSERVICE_Prov
    User=

    I looked for WmiPrvSE.exe  in Process Exporer according to its PID, but what's exactly what do I need to search for? didn't quite understand this part: "you will need to narrow your scope even further by using Process Exporer and examining the stack to see which DLL(Provider) is responsible for the high cpu"

    Thanks

    • Proposed as answer by fivesterlings Saturday, May 19, 2012 9:58 AM
    • Unproposed as answer by fivesterlings Saturday, May 19, 2012 9:58 AM
    Friday, May 04, 2012 2:02 PM
  • WmiPrvSe.exe has been using up to 50% of my cpu (Lenovo laptop vista SP2) for about a month. I have fixed it after a lot of work by tracking it down, using ProcMon (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx), to a hyperactive registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} 

    Some application was clearly frantically trying to get info from my <acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card">Network interface card extremely frequently.</acronym>

    <acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card"></acronym>

    <acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card">In my office I connect to an ethernet LAN and at home to a WiFi modem. The solution, found by some thought, was to prioritise my network connections to put the connection being used at the top of the list. </acronym>

    <acronym style="font-family:'Times New Roman';line-height:normal;text-align:left;font-size:medium;" title="Network Interface Card">To do this without entering the registry see, for example, </acronym>http://www.hosteng.com/FAQFiles/EZ%20Ethernet.htm.

     viz:

              If you have WinXP:
                   (1)  Start -->  Control Panel.
                   (2)  Double-click on the "Network Connections" icon.
                   (3)  On the menu at the top, select Advanced --> Advanced Settings...
                   (4)  On the "Adapters and Bindings" tab, in the top window, select the connection you are using.
                   (5)  Use the green arrows at the right to move this connection to the top of the list.
                   (6)  Press <OK> and close Network Connections window.
                   (7)  You may have to reboot your PC.
              If you have WinVista:
                   
    (1)  Start -->  Control Panel.
                   (2)  Double-click on the "Network & Sharing Center" icon.
                   (3)  At the left of this window, click on "Manage network connections"
                   (4)  Press the <ALT> key to make a menu appear at the top of this window.
                   (5)  On the menu at the top, select Advanced --> Advanced Settings...
                   (6)  On the "Adapters and Bindings" tab, in the top window, select the connection you are using.
                   (7)  Use the green arrows at the right to move this connection to the top of the list.
                   (8)  Press <OK> and close Network Connections window.
                   (9)  You may have to reboot your PC.

    Simple! Hope this saves others lots of frustration.

    • Proposed as answer by PokerBrat Tuesday, October 02, 2012 5:54 PM
    Saturday, May 19, 2012 10:35 AM
  • Do you understand why this is astupid answer? It doesnot take cpu speeds into account.

    Renee


    "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me

    Saturday, May 19, 2012 5:58 PM
  • Which is reason I dont fool with management software.

    Renee


    "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me

    • Proposed as answer by fivesterlings Tuesday, May 22, 2012 2:06 PM
    • Unproposed as answer by fivesterlings Tuesday, May 22, 2012 2:06 PM
    Saturday, May 19, 2012 6:03 PM
  • Dear Renee

    My problem is fixed, would you kindly explain what you mean about taking cpu speeds into account? with thanks.

    Tuesday, May 22, 2012 2:13 PM
  • I don't think so.I'm a developer and I wouldn't dream of using WMI unless a customer requested a slow and piggish  solution.

    Renee


    "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me

    Tuesday, May 22, 2012 11:21 PM
  • Different CPU's have different execution speeds and different number of cores. For exanple, this isa Sandy Bridge Extreme and righr now it the faster processor on the planet.

    That will change and Sandy Bridge in a relative sense will be slower as new technologies evolve,

    Renee


    "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me

    Tuesday, May 22, 2012 11:26 PM
  • OK Renee, I'm quite willing to learn from an expert. Are you saying that there is a better way to manage my Vista O/S LAN and WiFi network connections which by-passes Windows Management Instrumentation? Could you tell me how to find out how, I guess that means programming the relevant registry keys manually and disabling the management software?

    Fivesterlings

    Wednesday, May 23, 2012 3:11 PM
  • If you're on Vista you are in luck! Lan is acessacble in ways that it isn't in Win7 or WAN I should say.

    I have some remaing WAN code.

    Renee


    "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me

    Thursday, May 24, 2012 4:31 AM
  • Not quite in luck since am about to upgrade to Win 7. However, have found and installed Novell client SP2 which also seems to do the trick. Don't know why this does not come up on the forums as an answer to the WmiPrvSe.exe high CPU problem. Thanks for your interest.
    Thursday, May 24, 2012 9:09 AM
  • I was seeing three instances of WmiPrvSE.exe.  In the busiest one, about 25% CPU, Process Monitor showed acess to tzres.dll a lot.  When I right clicked on it, selected Properties, then the Process tab, I saw an entry for guard32.dll from COMODO.  I'm not currently running COMODO, I thought, but tracing that down led to Comodo System Services, which I'd installed while looking for a cure for a search results hijacking virus.  I uninstalled the Comodo System Services and the third, busy, instance of WmiPrvSE.exe disappeared.  Now I have just one instance running, at 11 or 12%.  Hopefully that will help cool down my rather warm laptop.

    I hope this might help someone else!  The Sysinternals Process Monitor and Process Explorer are very handy tools.

    Thursday, September 06, 2012 11:29 PM
  • Hello, i have similar problem on hp proliant server running windows 2008 (32bit) with 4cores cpu, the WmiPrvSE.exe process is shortly after boot consuming 25% of CPU (i.e. 100% of one core) for ever and for example Disk Management does not work anymore.

    C:\>tasklist /fi "imagename eq wmiprvse.exe"

    Image Name                     PID Session Name        Session#    Mem Usage
    ========================= ======== ================ =========== ============
    WmiPrvSE.exe                  3964 Services                   0     26,536 K
    WmiPrvSE.exe                  6576 Services                   0      6,056 K

    C:\>wmic path msft_providers get hostinggroup,hostprocessidentifier,namespace,provider,user /format:list
    ^C (command just hangs)

    7532 thread stack (the one with one cpu core full usage):

    !std::num_put<char,std::ostreambuf_iterator<char,std::char_traits<char> > >::_Put+0x12


    !LPoly+0x21c



    !_dllonexit+0x9f
    !CollectPerformanceData+0x228c1
    !CollectPerformanceData+0x22852
    !CollectPerformanceData+0x234f6
    !CollectPerformanceData+0x231b3
    !CollectPerformanceData+0x232ba
    !NLG_Return
    !CollectPerformanceData+0x20b4f
    !CollectPerformanceData+0x27040e
    !initterm+0x13
    !CollectPerformanceData+0x20abe3
    !CollectPerformanceData+0x20adab
    !CollectPerformanceData+0x20ae78
    ntdll.dll!RtlQueryInformationActivationContext+0x1b7
    ntdll.dll!RtlEncodeSystemPointer+0x56d
    ntdll.dll!LdrLoadDll+0x35b
    ntdll.dll!LdrLoadDll+0x11f
    !LoadLibraryExW+0x24c
    !ElfRegisterEventSourceW+0x3c42
    !ElfRegisterEventSourceW+0x3aff
    !WmiQuerySingleInstanceW+0xc2d
    !WmiQuerySingleInstanceW+0xae6
    !RegQueryValueExW+0x97
    !PdhGetCounterInfoA+0x2f84
    !PdhLookupPerfNameByIndexW+0x1c9d
    !PdhEnumMachinesA+0x196
    !PdhEnumObjectsHW+0x124
    !PdhEnumObjectsW+0x101
    !DllCanUnloadNow+0x2b1
    !DllCanUnloadNow+0x1432
    !RpcServerUnregisterIf+0x1004
    !NdrStubCall2+0x27f
    !CStdStubBuffer_Invoke+0xa0
    !CWbemInstance::GetPropQualifier+0x61
    !WdtpInterfacePointer_UserUnmarshal+0x1e09
    !WdtpInterfacePointer_UserUnmarshal+0x1f9d
    !CoRevokeClassObject+0xb145
    !CoRevokeClassObject+0xb056
    !WdtpInterfacePointer_UserUnmarshal+0x6de
    !WdtpInterfacePointer_UserUnmarshal+0x1cdf
    !WdtpInterfacePointer_UserUnmarshal+0x6ee
    !RpcServerUnregisterIf+0x1236
    !RpcServerUnregisterIf+0x10e4
    !I_RpcGetBufferWithObject+0x34d
    !I_RpcGetBufferWithObject+0x2cf
    !RpcServerUnregisterIf+0x14d7
    !RpcServerUnregisterIf+0x13e5
    !RpcServerUnregisterIf+0xc35
    !I_RpcSend+0x7fe
    !NdrTypeFlags+0x82b
    !NdrTypeFlags+0x3d4
    !NdrTypeFlags+0x39b
    !NdrTypeFlags+0x41e
    !BaseThreadInitThunk+0x12
    ntdll.dll!RtlInitializeExceptionChain+0x63
    ntdll.dll!RtlInitializeExceptionChain+0x36


    !LPoly+0x1b4
    !std::num_put<char,std::ostreambuf_iterator<char,std::char_traits<char> > >::do_put+0x59
    !std::num_put<char,std::ostreambuf_iterator<char,std::char_traits<char> > >::do_put+0x43


    ntdll.dll!RtlFreeHeap+0x23f



    ntdll.dll!RtlAllocateHeap+0x95



    !std::basic_streambuf<char,std::char_traits<char> >::sputc+0x33
    !StrStrW+0x8cbf8



    ntdll.dll!RtlEnterCriticalSection
    !LPoly+0x1708




    ---------------------------
    Process Explorer
    ---------------------------
    The module cannot be located
    ---------------------------
    OK   
    ---------------------------

    i'm not able to identify any DLL which can be connected with this strange issue

    any advice please?

    Wednesday, September 12, 2012 3:06 PM
  • "

      (1)  Start -->  Control Panel.
                   (2)  Double-click on the "Network & Sharing Center" icon.
                   (3)  At the left of this window, click on "Manage network connections"
                   (4)  Press the <ALT> key to make a menu appear at the top of this window.
                   (5)  On the menu at the top, select Advanced --> Advanced Settings...
                   (6)  On the "Adapters and Bindings" tab, in the top window, select the connection you are using.
                   (7)  Use the green arrows at the right to move this connection to the top of the list.
                   (8)  Press <OK> and close Network Connections window.
                   (9)  You may have to reboot your PC.

    Simple! Hope this saves others lots of frustration."

    This fixed it for me on Server 2008.  In my case an unused adapter was at the top of the binding's list.  I moved the working adapter to the top and killed the Wmiprvse.exe and it didn't come back.   If the binding order was wrong, the process would return instantly to a 25% usage state.  

    Thank you for this. 


    Joe H

    Tuesday, October 02, 2012 5:56 PM
  • Setting the correct order to the binding of the network cards helped but there is still a fair amount of chatter.  If you 'Restart' (not Stop then Start) the service "Windows Management Instrumentation" in the Services panel then the 'WmiPrvSE.exe' activity drops almost to zero.  All of the dependent services will automatically get restarted if you use the 'Restart' option.
    • Proposed as answer by simrick Saturday, June 29, 2013 2:48 PM
    Wednesday, January 16, 2013 2:11 AM
  • Setting the correct order to the binding of the network cards helped but there is still a fair amount of chatter.  If you 'Restart' (not Stop then Start) the service "Windows Management Instrumentation" in the Services panel then the 'WmiPrvSE.exe' activity drops almost to zero.  All of the dependent services will automatically get restarted if you use the 'Restart' option.

    @DG3

    Thank you very much for this tip!! I have a W8Pro MediaCtr with a single core AMD Athlon 64 3500+ (Orleans) processor. WmiPrvSE.exe was taking up 50% of the CPU constantly! This is a desktop, and setting the binding order of network adapters didn't apply to me, as I only have the ethernet adapter, and the VPN adapter (no wireless). I noticed hyper activity with the Time Zone DLL in Process Monitor (tzres.dll). Restarting Windows Management Instrumentation did the trick, and it's now running at 0% of the CPU, if at all.



    • Edited by simrick Saturday, June 29, 2013 2:53 PM added time zone filename
    Saturday, June 29, 2013 2:47 PM
  • It looks like I was able to resolve it on a Server 2008 R2 Sp1 server by running the command winmgmt.exe /resetrepository

    If I restarted the WMI service in services.msc It would drop obviously, but would rapidly climb back up to High percentages.  Once I ran that command to reset the repository, CPU slowly came down to a cool 1 - 2 % mostly 0%

    I searched so long for an answer, and at least for now this is a solution.  I have been only monitoring it for a few hours after I flushed the repository but It seems to be holding.  I am installing SP2 tonight but Have my fingers crossed.

    Deselo

    Thursday, July 25, 2013 7:09 PM
  • Running the command "winmgmt.exe /resetrepository" solves the problem, however it only reappears on the next login...

    I disabled from automatic startup all services that depended on "Windows Management Instrumentation", but no change...

    Sunday, August 04, 2013 2:41 AM
  • for me i used the command and got an error message also saying access is denied. I already tried to get access through properties but was unsuccessful. How did you get access to it???

    I have a

    TOSHIBA Satellite C855D with windows 8

    Tuesday, August 13, 2013 1:32 AM
  • Hey there,

    I have a suspicion that when WMI starts, it's out of sync with other security items installed on Windows like anti-virus, firewalls, etc. What I noticed was, at least in my case, it ran early in the startup process, and didn't detect the presence of my McAfee utilities (anti-virus, firewall, etc.). So, WMI tried to fire up those services... and kept trying to, even after McAfee started up.

    I noticed that only after I restarted WMI, suddenly in my Win Action Center (Security section), it detected McAfee was running those services for me (not the default Windows services), and POOF, no CPU usage problem.

    So, I created a scheduled task definition that simply auto-restarts WMI and its underlying services a few seconds after login. It has to be delayed a bit, because WMI has to actually start up with the "wrong" settings first.

    Here is the definition of the task (you'll need to substitute your user name where it's specified).

    <?xml version="1.0" encoding="UTF-16"?>
    <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
      <RegistrationInfo>
        <Date>2013-12-12T14:04:02.5955723</Date>
        <Author>Angelo B.</Author>
        <Description>Improves CPU usage by WMI</Description>
      </RegistrationInfo>
      <Triggers>
        <LogonTrigger>
          <Enabled>true</Enabled>
          <Delay>PT22S</Delay>
        </LogonTrigger>
      </Triggers>
      <Principals>
        <Principal id="Author">
          <UserId>*ENTER_YOUR_WINDOWS_USER_ACCOUNT_HERE*</UserId>
          <LogonType>InteractiveToken</LogonType>
          <RunLevel>HighestAvailable</RunLevel>
        </Principal>
      </Principals>
      <Settings>
        <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
        <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
        <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
        <AllowHardTerminate>true</AllowHardTerminate>
        <StartWhenAvailable>true</StartWhenAvailable>
        <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
        <IdleSettings>
          <StopOnIdleEnd>true</StopOnIdleEnd>
          <RestartOnIdle>false</RestartOnIdle>
        </IdleSettings>
        <AllowStartOnDemand>true</AllowStartOnDemand>
        <Enabled>true</Enabled>
        <Hidden>true</Hidden>
        <RunOnlyIfIdle>false</RunOnlyIfIdle>
        <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
        <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
        <WakeToRun>false</WakeToRun>
        <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
        <Priority>7</Priority>
      </Settings>
      <Actions Context="Author">
        <Exec>
          <Command>net</Command>
          <Arguments>stop "IP Helper"</Arguments>
        </Exec>
        <Exec>
          <Command>net</Command>
          <Arguments>stop "Security Center"</Arguments>
        </Exec>
        <Exec>
          <Command>net</Command>
          <Arguments>stop "Intel(R) Rapid Storage Technology"</Arguments>
        </Exec>
        <Exec>
          <Command>net</Command>
          <Arguments>stop Winmgmt</Arguments>
        </Exec>
        <Exec>
          <Command>net</Command>
          <Arguments>start Winmgmt</Arguments>
        </Exec>
        <Exec>
          <Command>net</Command>
          <Arguments>start "Security Center"</Arguments>
        </Exec>
        <Exec>
          <Command>net</Command>
          <Arguments>start "IP Helper"</Arguments>
        </Exec>
        <Exec>
          <Command>net</Command>
          <Arguments>start "Intel(R) Rapid Storage Technology"</Arguments>
        </Exec>
      </Actions>
    </Task>

    This now works reliably every time I restart or log in.

    Friday, December 13, 2013 3:58 AM
  • This works!!! Restarted the WMI service and its resolved. Been struggling with this for months. Will try a system restart and see if it comes back then maybe look to disable startup programs with system configuration. Skinny win 8.1 laptop now idling <10% where it should be not permanent 20-40 on wmi :)
    Saturday, February 15, 2014 1:04 PM
  • Restarted machine and WMI started up again, restarted service and it stopped. Seems something at startup is not exciting gracefully...
    Saturday, February 15, 2014 1:17 PM
  • Thanks Kristoffer!
    Thursday, February 27, 2014 2:22 PM
  • Thank You, Michael S [MSFT]. Your post lead me down a twisted path to find this hotfix which alleviated my WmiPrvSE.exe high CPU utilization issue on Windows 2008 R2.

    MS Article ID: KB2617858
    Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

    http://support.microsoft.com/kb/2617858/en-us

    What lead me to the solution was seeing many threads with Start Address ntdll.dll!rtlValidateHeap+0x170 consuming most of the CPU in Process Explorer for WmiPrvSE.exe.
    Monday, May 19, 2014 4:26 PM