Forum Discussion
Endless WebDAV requests caused by WqlEventQuery
Hi,
I'm facing problems when mapping a drive via WebDAV and simultaneously using WqlEventQuery to monitor created or deleted logical disks.
1. WebDAV:
The network drive is mapped to a folder e.g. http://192.168.178.10/folder. Here it is important that the network device does not allow access to http://192.168.178.10/ and will respond with a 403 status code if that "root" folder is accessed via e.g. PROPFIND.
I have also set up a WebDAV server on localhost for troubleshooting which is configured to behave equally.
2. WqlEventQuery:
I need to monitor whenever logical drives are created and do this using a WqlEventQuery and ManagementEventWatcher (in C#) which looks like "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA Win32_LogicalDisk".
Now the issue is that as soon as the ManagementEventWatcher is started, Windows tries to access the mapped WebDAV drive but not using the path which was used for mapping. Instead it tries to access the devices "root" folder "http://192.168.178.10)" which obviously will be answered with 403. These accesses keep happening as long as the ManagementEventWatcher is running. Below you can also find a screenshot of what it looks like on my testserver on localhost.
Every second I get 4 PROPFIND requests to "/". The issue here is that this causes the MsMpEng.exe to consume quite some CPU time and the mouse cursor is constantly flickering and showing the loading cursor.
I also found that the process hosting the WebDAV client service (svchost with ref to webclnt.dll)
continuously spawns new processes of executable rundll32.exe with the following entrypoint/command:
davclnt.dll, DavSetCookie (probably that's also why MsMpEng is becoming active).
Does anybody have an idea why this happens and how I could manage to have both WebDAV and the WqlEventQuery running without these weird accesses?
5 Replies
WMI event subscriptions might periodically trigger disk enumeration or other system calls that, directly or indirectly, cause WebDAV requests.
You’re absolutely right—WMI event subscriptions can definitely kick off background system queries, including disk enumeration. If you have any mapped WebDAV drives or related shell extensions, these background calls can sometimes trigger unexpected WebDAV network requests, even when you’re not actively accessing those drives. This can lead to random network traffic, authentication prompts, or slowdowns, especially in enterprise environments.
If this behavior is causing issues, you can try auditing which WMI events or scripts are registered (using Get-WmiObject -Namespace root\subscription -Class __EventFilter), or limit/unmap unnecessary WebDAV connections. Have you noticed these WebDAV calls showing up at specific intervals, or tied to certain events?
Yes, the WebDAV requests are directly connected to the WqlQuery I posted above. The requests stop as soon as the WqlQuery is not active anymore.
The frequency of WebDAV requests solely depends on the interval provided in the WqlQuery. So currently it's set to 1s and I see 4 requests per second. If it's 2s I see 4 requests every two seonds etc.
Here's also a screenshot (from System Explorer) of the rundll32 processes that are being started again and again. Even multiple of them run in parallel. As you can see the argument is http://localhost/ instead of http://localhost/folder.
Thanks, it works for my situation!
