Nov 15 2019 08:57 AM
We started having issues with our desktops not reading GPOs since almost all of them go to this one DC, I started looking there. I discovered that WMI Provider Host was running 40-50% CPU all the time and the WMI Activity Operational log was full of errors. We eventually discovered the reason for the GPO issues and fixed it and we also moved the DC that most of the desktop should log into. Looking at this second DC, the WMI Provider Host is running at a pretty low percent. On the DC in question, the WMI CPU usage has dropped to more like 35-40%, but that's still too high. Looking in the WMI-Activity Operational log There seem to be less errors than before, but there's still too many in my estimation.
The errors are event type 5858 and look like the following two:
Id = {980D4144-9AEB-0001-6F97-0D98EB9AD501}; ClientMachine = ; User = *****\administrator; ClientProcessId = 896; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT EventCode,InsertionStrings,RecordNumber FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType=4 AND (EventCode=540 OR EventCode=672 OR EventCode=4624 OR EventCode=4768) AND RecordNumber > 2298538071; ResultCode = 0x80041032; PossibleCause = Unknown
Id = {980D4144-9AEB-0001-6F97-0D98EB9AD501}; ClientMachine = ; User = ******\administrator; ClientProcessId = 896; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT EventCode,InsertionStrings,RecordNumber FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType=4 AND (EventCode=540 OR EventCode=672 OR EventCode=4624 OR EventCode=4768) AND RecordNumber > 2298538010; ResultCode = 0x80041032; PossibleCause = Unknown
Any thoughts on how to fix this?
Nov 15 2019 10:12 AM
So, you may very well be right, but how do I "modified to issue calls to IEnumWbemClassObject::Next to retrieve the full result set"?
Nov 15 2019 11:38 AM
You may need to get in touch with the developer of WMI application that makes the calls.