High CPU usage on Server 2012 Domain Controller from WMI Provider Host

%3CLINGO-SUB%20id%3D%22lingo-sub-1011534%22%20slang%3D%22en-US%22%3EHigh%20CPU%20usage%20on%20Server%202012%20Domain%20Controller%20from%20WMI%20Provider%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011534%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20started%20having%20issues%20with%20our%20desktops%20not%20reading%20GPOs%20since%20almost%20all%20of%20them%20go%20to%20this%20one%20DC%2C%20I%20started%20looking%20there.%26nbsp%3B%20I%20discovered%20that%20WMI%20Provider%20Host%20was%20running%2040-50%25%20CPU%20all%20the%20time%20and%20the%20WMI%20Activity%20Operational%20log%20was%20full%20of%20errors.%20We%20eventually%20discovered%20the%20reason%20for%20the%20GPO%20issues%20and%20fixed%20it%20and%20we%20also%20moved%20the%20DC%20that%20most%20of%20the%20desktop%20should%20log%20into.%20Looking%20at%20this%20second%20DC%2C%20the%20WMI%20Provider%20Host%20is%20running%20at%20a%20pretty%20low%20percent.%20On%20the%20DC%20in%20question%2C%20the%20WMI%20CPU%20usage%20has%20dropped%20to%20more%20like%2035-40%25%2C%20but%20that's%20still%20too%20high.%20Looking%20in%20the%20WMI-Activity%20Operational%20log%20There%20seem%20to%20be%20less%20errors%20than%20before%2C%20but%20there's%20still%20too%20many%20in%20my%20estimation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20errors%20are%20event%20type%205858%20and%20look%20like%20the%20following%20two%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EId%20%3D%20%7B980D4144-9AEB-0001-6F97-0D98EB9AD501%7D%3B%20ClientMachine%20%3D%20%3B%20User%20%3D%20*****%5Cadministrator%3B%20ClientProcessId%20%3D%20896%3B%20Component%20%3D%20Unknown%3B%20Operation%20%3D%20Start%20IWbemServices%3A%3AExecQuery%20-%20root%5Ccimv2%20%3A%20SELECT%20EventCode%2CInsertionStrings%2CRecordNumber%20FROM%20Win32_NTLogEvent%20WHERE%20Logfile%20%3D%20'Security'%20AND%20EventType%3D4%20AND%20(EventCode%3D540%20OR%20EventCode%3D672%20OR%20EventCode%3D4624%20OR%20EventCode%3D4768)%20AND%20RecordNumber%20%26gt%3B%202298538071%3B%20ResultCode%20%3D%200x80041032%3B%20PossibleCause%20%3D%20Unknown%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EId%20%3D%20%7B980D4144-9AEB-0001-6F97-0D98EB9AD501%7D%3B%20ClientMachine%20%3D%20%3B%20User%20%3D%20******%5Cadministrator%3B%20ClientProcessId%20%3D%20896%3B%20Component%20%3D%20Unknown%3B%20Operation%20%3D%20Start%20IWbemServices%3A%3AExecQuery%20-%20root%5Ccimv2%20%3A%20SELECT%20EventCode%2CInsertionStrings%2CRecordNumber%20FROM%20Win32_NTLogEvent%20WHERE%20Logfile%20%3D%20'Security'%20AND%20EventType%3D4%20AND%20(EventCode%3D540%20OR%20EventCode%3D672%20OR%20EventCode%3D4624%20OR%20EventCode%3D4768)%20AND%20RecordNumber%20%26gt%3B%202298538010%3B%20ResultCode%20%3D%200x80041032%3B%20PossibleCause%20%3D%20Unknown%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20on%20how%20to%20fix%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1011534%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011643%22%20slang%3D%22en-US%22%3ERe%3A%20High%20CPU%20usage%20on%20Server%202012%20Domain%20Controller%20from%20WMI%20Provider%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011643%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20one%20might%20help.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3124914%2Fwmi-activity-event-5858-logged-frequently-with-resultcode-0x80041032%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3124914%2Fwmi-activity-event-5858-logged-frequently-with-resultcode-0x80041032%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011666%22%20slang%3D%22en-US%22%3ERe%3A%20High%20CPU%20usage%20on%20Server%202012%20Domain%20Controller%20from%20WMI%20Provider%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011666%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51719%22%20target%3D%22_blank%22%3E%40Dave%20Patrick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20you%20may%20very%20well%20be%20right%2C%20but%20how%20do%20I%20%22%3CSPAN%3Emodified%20to%20issue%20calls%20to%20IEnumWbemClassObject%3A%3ANext%20to%20retrieve%20the%20full%20result%20set%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1012361%22%20slang%3D%22en-US%22%3ERe%3A%20High%20CPU%20usage%20on%20Server%202012%20Domain%20Controller%20from%20WMI%20Provider%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1012361%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20may%20need%20to%20get%20in%20touch%20with%20the%20developer%20of%20WMI%20application%20that%20makes%20the%20calls.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We started having issues with our desktops not reading GPOs since almost all of them go to this one DC, I started looking there.  I discovered that WMI Provider Host was running 40-50% CPU all the time and the WMI Activity Operational log was full of errors. We eventually discovered the reason for the GPO issues and fixed it and we also moved the DC that most of the desktop should log into. Looking at this second DC, the WMI Provider Host is running at a pretty low percent. On the DC in question, the WMI CPU usage has dropped to more like 35-40%, but that's still too high. Looking in the WMI-Activity Operational log There seem to be less errors than before, but there's still too many in my estimation.

 

The errors are event type 5858 and look like the following two:

 

 

Id = {980D4144-9AEB-0001-6F97-0D98EB9AD501}; ClientMachine = ; User = *****\administrator; ClientProcessId = 896; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT EventCode,InsertionStrings,RecordNumber FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType=4 AND (EventCode=540 OR EventCode=672 OR EventCode=4624 OR EventCode=4768) AND RecordNumber > 2298538071; ResultCode = 0x80041032; PossibleCause = Unknown

 

Id = {980D4144-9AEB-0001-6F97-0D98EB9AD501}; ClientMachine = ; User = ******\administrator; ClientProcessId = 896; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT EventCode,InsertionStrings,RecordNumber FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType=4 AND (EventCode=540 OR EventCode=672 OR EventCode=4624 OR EventCode=4768) AND RecordNumber > 2298538010; ResultCode = 0x80041032; PossibleCause = Unknown

 

Any thoughts on how to fix this?

3 Replies
Highlighted

@Dave Patrick 

 

So, you may very well be right, but how do I "modified to issue calls to IEnumWbemClassObject::Next to retrieve the full result set"?

 

Highlighted

You may need to get in touch with the developer of WMI application that makes the calls.