Home

High CPU usage on Server 2012 Domain Controller from WMI Provider Host

%3CLINGO-SUB%20id%3D%22lingo-sub-1011534%22%20slang%3D%22en-US%22%3EHigh%20CPU%20usage%20on%20Server%202012%20Domain%20Controller%20from%20WMI%20Provider%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011534%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20started%20having%20issues%20with%20our%20desktops%20not%20reading%20GPOs%20since%20almost%20all%20of%20them%20go%20to%20this%20one%20DC%2C%20I%20started%20looking%20there.%26nbsp%3B%20I%20discovered%20that%20WMI%20Provider%20Host%20was%20running%2040-50%25%20CPU%20all%20the%20time%20and%20the%20WMI%20Activity%20Operational%20log%20was%20full%20of%20errors.%20We%20eventually%20discovered%20the%20reason%20for%20the%20GPO%20issues%20and%20fixed%20it%20and%20we%20also%20moved%20the%20DC%20that%20most%20of%20the%20desktop%20should%20log%20into.%20Looking%20at%20this%20second%20DC%2C%20the%20WMI%20Provider%20Host%20is%20running%20at%20a%20pretty%20low%20percent.%20On%20the%20DC%20in%20question%2C%20the%20WMI%20CPU%20usage%20has%20dropped%20to%20more%20like%2035-40%25%2C%20but%20that's%20still%20too%20high.%20Looking%20in%20the%20WMI-Activity%20Operational%20log%20There%20seem%20to%20be%20less%20errors%20than%20before%2C%20but%20there's%20still%20too%20many%20in%20my%20estimation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20errors%20are%20event%20type%205858%20and%20look%20like%20the%20following%20two%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EId%20%3D%20%7B980D4144-9AEB-0001-6F97-0D98EB9AD501%7D%3B%20ClientMachine%20%3D%20%3B%20User%20%3D%20*****%5Cadministrator%3B%20ClientProcessId%20%3D%20896%3B%20Component%20%3D%20Unknown%3B%20Operation%20%3D%20Start%20IWbemServices%3A%3AExecQuery%20-%20root%5Ccimv2%20%3A%20SELECT%20EventCode%2CInsertionStrings%2CRecordNumber%20FROM%20Win32_NTLogEvent%20WHERE%20Logfile%20%3D%20'Security'%20AND%20EventType%3D4%20AND%20(EventCode%3D540%20OR%20EventCode%3D672%20OR%20EventCode%3D4624%20OR%20EventCode%3D4768)%20AND%20RecordNumber%20%26gt%3B%202298538071%3B%20ResultCode%20%3D%200x80041032%3B%20PossibleCause%20%3D%20Unknown%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EId%20%3D%20%7B980D4144-9AEB-0001-6F97-0D98EB9AD501%7D%3B%20ClientMachine%20%3D%20%3B%20User%20%3D%20******%5Cadministrator%3B%20ClientProcessId%20%3D%20896%3B%20Component%20%3D%20Unknown%3B%20Operation%20%3D%20Start%20IWbemServices%3A%3AExecQuery%20-%20root%5Ccimv2%20%3A%20SELECT%20EventCode%2CInsertionStrings%2CRecordNumber%20FROM%20Win32_NTLogEvent%20WHERE%20Logfile%20%3D%20'Security'%20AND%20EventType%3D4%20AND%20(EventCode%3D540%20OR%20EventCode%3D672%20OR%20EventCode%3D4624%20OR%20EventCode%3D4768)%20AND%20RecordNumber%20%26gt%3B%202298538010%3B%20ResultCode%20%3D%200x80041032%3B%20PossibleCause%20%3D%20Unknown%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20on%20how%20to%20fix%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1011534%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011643%22%20slang%3D%22en-US%22%3ERe%3A%20High%20CPU%20usage%20on%20Server%202012%20Domain%20Controller%20from%20WMI%20Provider%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011643%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20one%20might%20help.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3124914%2Fwmi-activity-event-5858-logged-frequently-with-resultcode-0x80041032%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3124914%2Fwmi-activity-event-5858-logged-frequently-with-resultcode-0x80041032%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011666%22%20slang%3D%22en-US%22%3ERe%3A%20High%20CPU%20usage%20on%20Server%202012%20Domain%20Controller%20from%20WMI%20Provider%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011666%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51719%22%20target%3D%22_blank%22%3E%40Dave%20Patrick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20you%20may%20very%20well%20be%20right%2C%20but%20how%20do%20I%20%22%3CSPAN%3Emodified%20to%20issue%20calls%20to%20IEnumWbemClassObject%3A%3ANext%20to%20retrieve%20the%20full%20result%20set%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1012361%22%20slang%3D%22en-US%22%3ERe%3A%20High%20CPU%20usage%20on%20Server%202012%20Domain%20Controller%20from%20WMI%20Provider%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1012361%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20may%20need%20to%20get%20in%20touch%20with%20the%20developer%20of%20WMI%20application%20that%20makes%20the%20calls.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
jhyiesla
New Contributor

We started having issues with our desktops not reading GPOs since almost all of them go to this one DC, I started looking there.  I discovered that WMI Provider Host was running 40-50% CPU all the time and the WMI Activity Operational log was full of errors. We eventually discovered the reason for the GPO issues and fixed it and we also moved the DC that most of the desktop should log into. Looking at this second DC, the WMI Provider Host is running at a pretty low percent. On the DC in question, the WMI CPU usage has dropped to more like 35-40%, but that's still too high. Looking in the WMI-Activity Operational log There seem to be less errors than before, but there's still too many in my estimation.

 

The errors are event type 5858 and look like the following two:

 

 

Id = {980D4144-9AEB-0001-6F97-0D98EB9AD501}; ClientMachine = ; User = *****\administrator; ClientProcessId = 896; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT EventCode,InsertionStrings,RecordNumber FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType=4 AND (EventCode=540 OR EventCode=672 OR EventCode=4624 OR EventCode=4768) AND RecordNumber > 2298538071; ResultCode = 0x80041032; PossibleCause = Unknown

 

Id = {980D4144-9AEB-0001-6F97-0D98EB9AD501}; ClientMachine = ; User = ******\administrator; ClientProcessId = 896; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT EventCode,InsertionStrings,RecordNumber FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType=4 AND (EventCode=540 OR EventCode=672 OR EventCode=4624 OR EventCode=4768) AND RecordNumber > 2298538010; ResultCode = 0x80041032; PossibleCause = Unknown

 

Any thoughts on how to fix this?

3 Replies

@Dave Patrick 

 

So, you may very well be right, but how do I "modified to issue calls to IEnumWbemClassObject::Next to retrieve the full result set"?

 

You may need to get in touch with the developer of WMI application that makes the calls.

 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies