NOD32 and Winmgmt.exe

Hello JBravo,

I found some details about Winmgmt.exe. Apologies if you were already aware of this. It is a core component of client management in Windows. This process initializes when the first client application connects, or continuously when management applications request its services. The winmgmt.exe file is located in the c:\windows\System32 folder. In other cases, winmgmt.exe is a virus, spyware, trojan or worm.

You've already said you've had a good hunt around for the file, so I don't know where else you could look. Have you performed an 'In-depth analysis' with NOD?

Bandicoot.

 

Thanks for the suggestion and no apologies needed - I don't really know a heck of a lot about it.
I just did a "In-depth analysis" (been meaning to try that anyway) and nothing was found. Based on what I've seen so far, I've got to believe that the NOD people have included the NOD32KRN.EXE auto-starting WINMGMT.EXE in the 98/Winme version even though, depending on the user, it may not be strictly necessary. For me, other than having a unnecessary process running, it's not a problem though a couple of other posters seem to be experiencing a difficulty or two.
Thanks.

 

Blackspear, I apologise

Blackspear, I'm sorry I responded so sarcastically in the thread entitled "Nod32 and winmgmt.Exe" I was just so frustrated that Nod32 didn't work out for me. You are a great asset to this forum and offer lots of good advise

Everything I said in that post was true. "winmgmt" did make my system very unstable, and slowed it down to a crawl. Nod32 also missed the "win32 kuang" virus. After unistalling nod32, and installing avast free edition. Avast found the virus and I deleted it.

I don't know why nod missed it and avast found it. On a positive note, if nod32 can fix the "winmgmt" issue, I may try it again. I had nod32 set to deep mode when I scanned. However being new and just getting aquainted with nod, I may have set something wrong. That may be the reason that nod missed it. I don't know. I'm not a basher of any product. I know nod32 is a great product, cause it has won so many vbs awards.

It just didn't run good on my computer.

 

I did read your post, you downloaded a “Trial Version” of Nod32, thus your system either had no virus protection before and was infected, or was infected and then you downloaded Nod32. Nod32 had this virus in its 1.874 database on Sept 21st 2004, it is also known as Win32/Parite.B

A computer can appear to run smooth with an infection…

Very unlikely, more likely that there now was a conflict between the virus and Nod32, like I pointed to, there are many other means to ensuring a system is clean before installing your anti-virus of choice, it is a better option to install a anti-virus on a clean system.

Like I said placing an antivirus product on an already compromised system is haphazard at best…

I based my reply on your post, being that I am not in front of your PC, it can make diagnosis somewhat more difficult, however, this is what my two shops do for a living, day in, and day out…

That’s ok, no problem at all. I have merged the two threads together as they are dealing with the same issue…

Many thanks for the kind words

As Bandicoot explained above “In other cases, winmgmt.exe is a virus, spyware, trojan or worm.”

Already addressed above.

Mr Coot is on the case, I don’t think he has finished with the issue just yet, as there are others that have perfectly clean systems where Nod32 is starting “winmgmt”.

I have made a tutorial at the top of this forum for setting up Nod32 that you should be able to follow

I am yet to see a computer that I can not get Nod32 up and running smoothly, even BigC has it running after finding a few problems, he is running the latest version 2.12.3 though, and has a 2nd anti-virus on his system, which is not something I have ever done…

All the best…

Cheers

 

Hello all,

I was wondering if anybody has found out if there is a way to stop Winmgmt.exe from starting with Nod32 as it slows down my system and causes problems.

I have submitted a support ticket request to Nod, asking either for a way to stop Winmgmt.exe from starting when Nod32 starts or for a fix version of Nod32 for my WinME stand-alone system.

Thanks in advance for any help,

gunnarj

 

Hello Gunnarj,

I'm wondering if this is caused by XP security centre support, but I may be wrong. NOD32 does not explicitly execute winmgmt.exe. We weren't able to replicate the behaviour you've described because when we tested it, the security center was starting on the test computer also, without NOD32 Installed.

Could you tell me your exact system information please? We'll try to replicate it again.

Bandicoot.

 

Hello Bandicoot,

I have WinME, not administrative. Reading through this thread will bring the problem more clearly to light.

Here is my sytem information:

NOD32 Antivirus System information
Virus signature database version: 1.917 (20041106)
Dated: Saturday, November 06, 2004
Virus signature database build: 4963
Information on other scanner support parts
Advanced heuristics module version: 1.010 (20040902)
Advanced heuristics module build: 1061
Internet filter version: 1.002 (2004070
Internet filter build: 1013
Archive support module version: 1.021 (20040917)
Archive support module build version: 1101
Information on installed components
NOD32 For Windows 95/98/ME - Base
Version: 2.12.3
NOD32 for Windows 95/98/ME - Standard component
Version: 2.12.3
NOD32 For Windows 95/98/ME - Internet support
Version: 2.12.3
Operating system information
Platform: Windows ME
Version: 4.90.3000
Version of common control components: 5.81.4916
RAM: 128 MB
Processor: Intel(R) Pentium(R) 4 CPU 1500MHz

.....

From 'Task Info2002' it very clearly shows that Winmgmt.exe is started by Nod32, specifically Nod32Krn.exe:


[Current Process Pane]
CMD =C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE -Embedding
Curr Dir =C:\
Started by =C:\PROGRAM FILES\ESET\NOD32KRN.EXE
Data KB =464 in mem = 288 in use = 52
Code KB =3,884 in mem = 1,256 in use = 48
Handles Count =41
Windows = 2

..

Also, if you will read through this thread, you will see that others have this problem also and have verified that it is Nod32 that is starting Winmgmt.exe in both WinME and Win98 stand-alone PC's which it should not be doing.

Hope this helps to clarify,

Thanks for any help,

gunnarj

 

From another thread:

If this is true, is there a way to stop this 'svchost.exe container process' from starting on WinME/98 machines as it is not needed?

I have also been researching the possibility that Winmgmt.exe is being started but not closing down correctly on some machines, mine included.

If this is the case, I need a solution to fix this.


In my WinMgmt.log I find repeated instances of this:

Perhaps this means that Winmgmt is not being closed correctly?


I also see these errors in the wbemcore.log:

and this in my FrameWork.log:

and finally this in my wbemprox.log:

Perhaps these are all clues to this problem?

The logs quoted above are all in the folder: C:\WINDOWS\SYSTEM\WBEM\Logs

Thanks,

gunnarj

 

Hello Gunnarj, JBravo, Mr2cents, anyone else I've forgotten and, of course, the irrepressible Mr. Spear,

We've found the origin of the problem. As we thought at first, the winmgmt.exe is executed by XP SecurityCenter support code. There's an error in the code detecting it, if the system is SecurityCenter capable, so it was executed also on WinME. This will be fixed in the next version of NOD32.

Thanks to all for bringing this to light and thanks also for your patience.

Bandicoot
Eset

 

Thank you, Bandicoot, for the information.
You know, a while back NOD was flagging a file in my PowerQuest folder, I sent it to them, a few hours later I get an e-mail saying that it is indeed a false positve and that it will be fixed in the next update - and it is fixed in the next update. Then I start this thread about a little bit of possibly questionable behaviour in NOD for Winme users, it gets discussed and now I'm informed that it will be fixed in the next version. What kind of company is ESET anyway?
Thanks again.
JBravo

 

Thank you Bandicoot and Eset staff,

I am very satisfied with your thorough testing and response to the users with a favourable outcome. It certainly confirms to me why I continue to use and have faith in Nod32 - a superior AV.


Looking forward to the next version.

best,

gunnarj

 

I second gunnarj's reply - he said it better than I did.
JBravo

 

You both said it very well, persistance has paid off

A good result.

A pleasure as always Mr Coot, I'm sure your middle name has to be ferret, as you have a knack for hunting down a problem

Cheers

 

Thanks Bandicoot and Eset !!!

Warm regards, Jan.

 

Thanks for the info Bandicoot. When the next version of nod32 comes out, I will give it another try. I don't know the reason "winmgmt" slows my computer down so much. I run windows me, 192 mb ram, Kerio 2.1.5 firewall, and Boclean. I've tested a lot of different antivirus products out there. I've never had a problem with any of them. However, there is something about "winmgmt" that slows my system to a crawl.

Bandicoot, Do you have any idea when the next version of nod32 will be avalible?

 

Hi
I am a newbee to Nod32 and I have to say it's the best a/v I have ever used and I have tried most.
I have one issue that you might be able to help with.
When I installed Nod 32 (3 weeks ago) I noticed that it had "woken up" "winmgnt". This now appears to be resident.
I can see it if I do ctr-alt-del.
Do I need this running and if I don't how can I disable it as it is not in start up in msconfig or start up in windows stsrtup menu.
This is a stand alone pc with dialup connection. I use IE6 and outlook express.

Many THANKS
Grayson

 

Hi Grayson, welcome to Wilders. There is an existing thread on this issue here: https://www.wilderssecurity.com/showthread.php?t=51811&highlight=WINMGMT

Hope this helps...

Cheers

 

Hi
Thanks for your link regarding the issues with WINMGNT. Very interesting and informative. it's refreshing to get sensible comments about problems.
I have had problems with 2 programs since I installed nod 32. They were Photoimpact..... running very slow then freezing and Epsons Photoquicker 3.5 that comes with Epson R300 printer. This program runs like a snail !!
When I close down WINMGMT with ctr-alt-del the 2 programs work well.
So I know it's not NOD32.(which I was begining to suspect).
I wonder if there is a successful way to disable winmgnt without compromising
msinfo etc as the threads in the forum sujest
Thanks again for your help
Grayson.

PS.... have you seen the new security tool "Prevex Home" it seems to fill the gap between antivirus and firewalls. Reports on it look good
Byee

 

My pleasure, it took some doing to find it, as you had misspelled winmgmt, you had an “n” instead of an “m”. I knew there was an existing thread, eventually found it

Can you try excluding AMON from scanning these two programs and see how that goes.

Hopefully Marcos can advise us when we will expect to see this issue resolved in Nod32.

I have been using Prevx for quite some time now, and are rather impressed with it, it is rather like a firewall in it’s popup alert messages. This is what works really well for me, very simple to use and maintain: https://www.wilderssecurity.com/showpost.php?p=315075

Hope this helps…

Cheers