wmiprvse.exe realling slowing me down

Started by Lance Bateman, November 15, 2011, 05:24:36 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Lance Bateman

Today, I have this "wmiprvse.exe" hogging my CPU time. I've done a system shut down, run a quick scan (NAV), and it is still running, sometimes taking as much as 90% of the CPU.

Any ideas?  Our "IT" guy (big grain of salt) hasn't offered anything yet that I haven't done.

Bob

#1
Sounds like your IT Dept has something running on the desktops to aid them, not you and taking up lots of resource..   Article helps to explain.

http://www.neuber.com/taskmanager/process/wmiprvse.exe.html

If it is hampering you from doing your job and doesn't improve, I would take it up with them or your supervisor.   IT Dept job is to enable you to do your job, not hinder you.  JMO  :)



Lance Bateman

Yup, ran a malware check, didn't do anything to this problem.  Logged into the pc as local admin, the program doesn't show.  All I could find is that it is something used in network monitoring programs.  I've given him what I've done and what I found, and we'll see if I get any response.

You've hit the nail on the head with our person running systems though.  He does things without telling anyone, even has rebooted servers without warning then doesn't tell us when they are back up.

Wonder why there are some in the company that want me to take over that part?  I'm not that anxious, as I'm still trying to unravel just what was done with Security Manager before I got here. And the biggest part of the agency handles life/retirement/investments and I have no idea of the computer setup for that.  Add that it seems much of the system setup is chewing gum and construction tape - and I think there is a hesitancy to spend money - and I've been busy enough just dealing with the P/C side.

Jeff Zylstra

You may find that handling some of these things yourself not only gives you insight as to why certain things are happening, but also the latitude to make changes.   If the equipment isn't horribly out-dated or the wrong equipment for the job, configuring it correctly will go a long way towards making your life easier.


I would see if you can kill this process in task manager if it hasn't stopped already.  And also check and see if there are any "new" entries in the system log or maybe even the application log.  And maybe check for open ports using the Windows NETSTAT command.  Here's a link to refresh your memory on NETSTAT.  Hope this helps.

http://www.petri.co.il/quickly_find_local_open_ports.htm
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Lance Bateman

(Frustration)

Tried to stop the process yesterday and today - "access denied".  (When I log on to my PC as local admin, it doesn't come up).

Did the Task Manager PID search - it's PID 2420 and the only one on that.  (I need to research for what PID stands for).

Did the DOS search - typed in the command - access denied.

I'll send the article to the "IT Guy" (tongue in cheek) to see if he can do this.  I'm suspicious there is either a network program monitoring usage, or possibly something that got into the network capturing keystrokes?  It's showing in task manager as a network service.

Hans Manhave

PID is "Program IDentifier".  If you go to View/SelectColumns you can find lots of things to select.

On my workstation, as a user with admin privs, it shows as SYSTEM in the username column.  Logging in as a regular user on another workstation, that image name does not show up.

I am running all kinds of things on my station.  Radmin, DameWare Mini Remote etc.  I have not looked into the dependencies etc.  It is PID 880 and uses 30,304K on my machine.  No CPU cycles for some time.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Jeff Zylstra

Quote from: Lance Bateman on November 16, 2011, 12:24:12 PM
(Frustration)

Tried to stop the process yesterday and today - "access denied".  (When I log on to my PC as local admin, it doesn't come up).

Did the Task Manager PID search - it's PID 2420 and the only one on that.  (I need to research for what PID stands for).

Did the DOS search - typed in the command - access denied.

I'll send the article to the "IT Guy" (tongue in cheek) to see if he can do this.  I'm suspicious there is either a network program monitoring usage, or possibly something that got into the network capturing keystrokes?  It's showing in task manager as a network service.

Maybe you could right click on the "open a command prompt" menu from the program menu, choose the "run as" option, and run it as an administrator.   Then use the "taskkill" command at the command prompt.  Quick and dirty, but it might work.

Also, are there any entries in event viewer?  I might be inclined to download and install MalwareBytes and do a quick scan. 
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

I don't think PIDs are always the same in Windows.  There might be a handful that always have the same PID each time they run, but for the most part, I'm pretty sure that PIDs are somewhat random.

I always have two wmiprvse.exe processes running on my (XP Pro) workstation.  One runs as SYSTEM and the other as NETWORK SERVICE.

You could try stopping the "Windows Management Instrumentation" service when this process spikes.  If it is the "IT guy" running something, you may just find out when he comes looking for your computer to figure out what happened.  In fact, if you tried to disable it, you might get to the bottom of it when either one of your apps don't work -- or one of his.  8)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

Quote from: Mark on November 16, 2011, 02:48:01 PM
In fact, if you tried to disable it, you might get to the bottom of it when either one of your apps don't work -- or one of his.  8)

Love it!  +1
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Lance Bateman

Thanks Mark. See my comments below - unable to end the process, unable to do a lot. And this is the only instance showing on the computer.  And if I log in as admin on the computer locally, the process isn't running.  I think there is a need to log in from my computer with an admin access to see what can be done.

Jeff Zylstra

If you can get a "run" prompt, try typing "Services.MSC" and see if it brings up a list of services.  Or better yet, open a command prompt that has administrative privileges and type services.msc from the command line, and then arrow down to the Windows Management Instrumentation" service, and choose "stop".
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Lance Bateman

Did the malwarebytes scan (full), nothing.
Tried to get into see security, services, event viewer - they are locked down (starting to feel my frustration yet???)
Trying to either get a login to the network with admin rights so I can do some of the necessary steps, or get the guy who has these rights to work on it.

Lance Bateman

A bit leery of stopping Windows Management Instrumentation service.  However, the only other network service I see out there is Remote Procedure Call (RPC) which is starting automatically.

Quote from: Jeff Zylstra on November 16, 2011, 03:25:33 PM
If you can get a "run" prompt, try typing "Services.MSC" and see if it brings up a list of services.  Or better yet, open a command prompt that has administrative privileges and type services.msc from the command line, and then arrow down to the Windows Management Instrumentation" service, and choose "stop".

Mark

Quote from: Lance Bateman on November 16, 2011, 03:32:43 PM
A bit leery of stopping Windows Management Instrumentation service.  However, the only other network service I see out there is Remote Procedure Call (RPC) which is starting automatically.

I'd leave RPC alone as it's necessary for many things.  However, WMI could likely be stopped and started without any harm.  I think you'd notice fairly quickly if you needed it for something because that said something would start having problems.  WMI is used in scripting/automating to get configuration information or make configuration changes.  For example, I use it in a vbs script to find out what user is logged onto a specific computer.  Spiceworks uses it for just about everything it does.

This is a bit technical, but explains WMI: https://en.wikipedia.org/wiki/Windows_Management_Instrumentation

Lastly, if you suspect a service is causing issues on your computer, attempting to stop it might help reveal what the issue is.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

#14
If you can log on to this station as a local admin, I think that you can disable this service.  I don't know if merely stopping it would work since logging in as "Lance" may start the service again.  Mark might know better on that.

P.S.  I don't know if your agency uses WSUS or not - Windows Server Update Service.  It allows a server to download, manage and install Windows and many other Microsoft updates.  Anyway, a service pack or other major update that is installing can stall out a computer.  Not sure if it would cause WMI to spike the CPU, and not sure if it would or could take several hours, either.  The "several hours" part is what is concerning me.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Lance Bateman

I logged on as local admin, it was running though not hogging the CPU; stopped it and it came right back. IT logged on to the network from my computer, ended it, and it came right back. It's only hitting my computer.

As I seem to be the only problem child, I guess the next step is wiping the computer and then re-installing.  Until he decides to do that (he apparently has no images to use), I guess I get to stumble through.  Yes, I'm frustrated as I would expect any staff person to be when I was doing sys admin at all prior employers.

Jeff Zylstra

#16
I would download and run process explorer next.  In case you aren't familiar with it, it is a much more capable and in depth view than task manager gives, letting you see what other files and/or services are interacting with wmiprvse.exe.  You don't even need to install the process explorer.  Just download it to your desktop and click on it, and it gives you a graphic view of what's happening by clicking on wmiprvse.exe in the list of files. 
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop