WMI Activity consuming High CPU and Memory

Question

I have a multiple production server with EC2 Windows 2019 based instances in Amazon Cloud. I'm facing issue that WMI Process make High CPU and High Memory. I have installed some third party agents such monitoring too agent and Anti-virus agent on all windows 2019 machines. If I stop the WMI Process in Task manager. Then some of agents too stopped. I have checked the Process Id with event logs and searching the process id in Task manager. I can see some process with same ID.

I can see multiple error with same Event ID.

Finally I update the patch using Amazon System Manager Server Patching. After completed the patching, Still I could see this errors and WMI Process. Is it legitimate process then why its consuming more CPU and Memory? How can I resolve this issues? Can any please help me out from this issues?

Answer 1

Hello

The WMI process (WmiPrvSE.exe) is a legitimate part of Windows and stands for Windows Management Instrumentation Provider Service. It’s used by applications on your computer to request information about your system. This process is essential for the smooth operation of your system.

High CPU usage by the WMI process is usually a sign that another application is requesting data through WMI. This could be a temporary situation, for example, an application might be doing a system scan and using WMI to gather data.

However, if you’re consistently seeing high CPU usage from this process, it could indicate a problem. One common issue is that an application is making a large number of WMI queries. This could be due to a misbehaving application, or it could be a sign of a malware infection.

The Event ID 5858 with ResultCode 0x80041032 (WBEM_E_CALL_CANCELLED) indicates that the WMI caller has successfully issued IWbemServices:ExecQuery, but has released the IWbemContext object before retrieving the full result set using the IEnumWbemClassObject::Next method. This error can happen if the WMI application calls IEnumWbemClassObject::Next with a timeout value (lTimeout) that is not long enough to retrieve the object being queried, and is not checking for a return code of WBEM_S_TIMEDOUT (0x40004) in order to issue the request again.

To resolve this issue, the WMI client application should be modified to issue calls to IEnumWbemClassObject::Next to retrieve the full result set, before releasing the IWbemContext object. If no objects are received, make sure that the timeout value (lTimeout) is greater than 0 and that WBEM_S_TIMEDOUT (0x40004) is not being returned.

If you’re not sure which application is causing the high CPU usage, you can use the Event Viewer to find recent “Error” events and locate the process ID number. Then, use Task Manager to identify the process, and either end it or restart it.