WMI Provider Host process cpu utilization between 20% to 60% permanently

All replies

• 

  

  0

  Sign in to vote

  Hi Alfred56,

  Please check this article for a hint.

  Troubleshoot WMI Provider Host High CPU Usage issue in Windows 10

  https://www.thewindowsclub.com/wmi-provider-host-high-cpu-usage

  Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

  About the event viewer errors you pasted

  The core problem for this set of issues is that the WMI error event ID 5858 is being generated generically and is not only representing functional error conditions. Unfortunately, for application/backwards compatibility, we can’t just get rid of it, because people have gone to the effort of parsing the event (more below) to look for the instances where there is useful data.

  Event 5858 is generated any time there is an error returned to the WMI client API. Many of these “errors” are behaviors that the client application handles (for example, checking for something that is not present), so seeing event 5858 does not tell you enough. The user data section of the event has the information to explain if the problem is important, but it must be parsed. That makes this event hard to use for monitoring, so some notes on that are at the end.

  Source:

  https://social.technet.microsoft.com/Forums/windows/en-US/84d42b34-6941-4b60-9908-450ef8305813/event-5858-from-wmiactivity?forum=winserver8gen

  Regards

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Tuesday, December 24, 2019 1:47 AM
• 

  

  0

  Sign in to vote

  Hi Alfred56,

  Please check this article for a hint.

  Troubleshoot WMI Provider Host High CPU Usage issue in Windows 10

  https://www.thewindowsclub.com/wmi-provider-host-high-cpu-usage

  Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

  About the event viewer errors you pasted

  The core problem for this set of issues is that the WMI error event ID 5858 is being generated generically and is not only representing functional error conditions. Unfortunately, for application/backwards compatibility, we can’t just get rid of it, because people have gone to the effort of parsing the event (more below) to look for the instances where there is useful data.

  Event 5858 is generated any time there is an error returned to the WMI client API. Many of these “errors” are behaviors that the client application handles (for example, checking for something that is not present), so seeing event 5858 does not tell you enough. The user data section of the event has the information to explain if the problem is important, but it must be parsed. That makes this event hard to use for monitoring, so some notes on that are at the end.

  Source:

  https://social.technet.microsoft.com/Forums/windows/en-US/84d42b34-6941-4b60-9908-450ef8305813/event-5858-from-wmiactivity?forum=winserver8gen

  Regards

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Hi Teemo,

  thank you for your reply.

  I followed the first ink in your reply but it really did not help me find the cause of the higher utilisation for WMI provider host in task manager.

  I know that when I stop the Windows Management Istrumentation service the utilization goes right down for a short while until the same service restarts automatically in the background. 

  You say that "The user data section of the event has the information to explain if the problem is important"

  I looked at the data but it does not make much sense to me. 

  It still says <PossibleCause>Unknown</PossibleCause> 

  What follows is the xml view of the errors which also includes the user data portion. I just listed 3 errors to keep it short:

  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  - <System>
    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" /> 
    <EventID>5858</EventID> 
    <Version>0</Version> 
    <Level>2</Level> 
    <Task>0</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x4000000000000000</Keywords> 
    <TimeCreated SystemTime="2019-12-26T00:10:04.204705600Z" /> 
    <EventRecordID>20869</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="4024" ThreadID="12840" /> 
    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel> 
    <Computer>pc-1</Computer> 
    <Security UserID="S-1-5-18" /> 
    </System>
  - <UserData>
  - <Operation_ClientFailure xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
    <Id>{00000000-0000-0000-0000-000000000000}</Id> 
    <ClientMachine>PC-1</ClientMachine> 
    <User>NT AUTHORITY\SYSTEM</User> 
    <ClientProcessId>11788</ClientProcessId> 
    <Component>Unknown</Component> 
    <Operation>Start IWbemServices::ExecNotificationQuery - ROOT\subscription : SELECT TargetInstance, PreviousInstance FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA '__EventConsumer'</Operation> 
    <ResultCode>0x80041032</ResultCode> 
    <PossibleCause>Unknown</PossibleCause> 
    </Operation_ClientFailure>
    </UserData>
    </Event>
  ------------------------------------------
  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  - <System>
    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" /> 
    <EventID>5858</EventID> 
    <Version>0</Version> 
    <Level>2</Level> 
    <Task>0</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x4000000000000000</Keywords> 
    <TimeCreated SystemTime="2019-12-26T00:10:04.203471900Z" /> 
    <EventRecordID>20867</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="4024" ThreadID="7612" /> 
    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel> 
    <Computer>pc-1</Computer> 
    <Security UserID="S-1-5-18" /> 
    </System>
  - <UserData>
  - <Operation_ClientFailure xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
    <Id>{00000000-0000-0000-0000-000000000000}</Id> 
    <ClientMachine>PC-1</ClientMachine> 
    <User>NT AUTHORITY\LOCAL SERVICE</User> 
    <ClientProcessId>12272</ClientProcessId> 
    <Component>Unknown</Component> 
    <Operation>Start IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'</Operation> 
    <ResultCode>0x80041032</ResultCode> 
    <PossibleCause>Unknown</PossibleCause> 
    </Operation_ClientFailure>
    </UserData>
    </Event>
  ------------------------------------------
  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  - <System>
    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" /> 
    <EventID>5858</EventID> 
    <Version>0</Version> 
    <Level>2</Level> 
    <Task>0</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x4000000000000000</Keywords> 
    <TimeCreated SystemTime="2019-12-26T00:10:04.195917300Z" /> 
    <EventRecordID>20866</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="4024" ThreadID="14404" /> 
    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel> 
    <Computer>pc-1</Computer> 
    <Security UserID="S-1-5-18" /> 
    </System>
  - <UserData>
  - <Operation_ClientFailure xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
    <Id>{00000000-0000-0000-0000-000000000000}</Id> 
    <ClientMachine>PC-1</ClientMachine> 
    <User>pc-1\alfred</User> 
    <ClientProcessId>14948</ClientProcessId> 
    <Component>Unknown</Component> 
    <Operation>Start IWbemServices::ExecNotificationQuery - root\cimv2 : select * from __InstanceDeletionEvent within 2 where TargetInstance ISA 'Win32_PnPEntity' AND TargetInstance.Service = 'WUDFWpdMtp'</Operation> 
    <ResultCode>0x80041032</ResultCode> 
    <PossibleCause>Unknown</PossibleCause> 
    </Operation_ClientFailure>
    </UserData>
    </Event>
  

  Thursday, December 26, 2019 12:30 AM
• 

  

  0

  Sign in to vote

  In fact, for deep research on the event log and wmi provider, I advise open a support ticket with Microsoft. There are best resources can help you.
  https://support.microsoft.com/en-gb/hub/4343728/support-for-business
  On forum platform, we can do limited for you, what i can come up with has been delivered, thank you for understanding and cooperating

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Tuesday, January 7, 2020 6:30 AM
• 

  

  0

  Sign in to vote

  Hi Alfred56,
  
  I found a the cause + solution for me.
  
  After spending a lot of time reading about this problem i found that no one seems to have a definitive solution. I decided to close apps one by one on my computer while monitoring the 5858 error log and CPU usage and found that Garmin Express was causing this problem for me.
  
  If you don't have Garmin Express installed i would suggest closing 3d party apps and while monitoring the error log + cpu usage? For me it was instant, as soon as i closed GE my CPU usage returned to idle, i've not had an error log for over 30 mins now. (error 0x80041032)

  Hope this helps.

  • Marked as answer by alfred56 Thursday, May 21, 2020 1:12 AM

  Wednesday, May 20, 2020 12:12 AM
• 

  

  0

  Sign in to vote

  Hi Alfred56,
  
  I found a the cause + solution for me.
  
  After spending a lot of time reading about this problem i found that no one seems to have a definitive solution. I decided to close apps one by one on my computer while monitoring the 5858 error log and CPU usage and found that Garmin Express was causing this problem for me.
  
  If you don't have Garmin Express installed i would suggest closing 3d party apps and while monitoring the error log + cpu usage? For me it was instant, as soon as i closed GE my CPU usage returned to idle, i've not had an error log for over 30 mins now. (error 0x80041032)

  Hope this helps.

  Hi Murcho,

  Thank you for your reply.

  I actually came up to the same conclusion as yours  several months ago, the culprit was actually garmin express.

  I do al lot of bicycle riding and use the Garmin Edge 520 to track my rides that are uploaded onto strava.

  What I did was to disable garmin express from auto starting.

  Pretty bad application.

  Best regards

  Alfred56

  Wednesday, May 20, 2020 11:12 PM