wmiprvse.exe?

Discussion in 'ProcessGuard' started by spy1, Mar 3, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    3 Mar 12:26:35 - [P] c:\windows\system32\wbem\wmiprvse.exe [3996] tried to gain READ access on c:\program files\processguard\pg_msgprot.exe [472]

    Anyone know off the top of their head what this one is? I notice it asks for read access, seemingly at random (no specific behavior on my part triggers it). Pete
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi pete,

    This will help you,

    Windows Management Instrumentation Provider Service first introduced in Windows XP, and then in Windows 2003. WMIPRVSE is a host process for WMI provider services. It is a new Windows architecture intended to eliminate the previous problems in Windows 2000 where the failure of a WMI provider service would make the whole WMI service fail as, then, WMI provider services were loaded in-process with the WMI Service (a new request to WMI would restart the WMI Service). With the new WMIPRVSE model, failure of a single WMI provider service affects that service only rather than the entire WMI Service. For the layman : this is an essential Windows XP/2003 service which will start whenever a specific piece of software requires its facilities.

    Recommendation :
    Essential ? leave alone. Note that, as with SVCHOST, there may be more than one instance of WMIPRVSE running in your Task List : this is normal. Also, some users will never have witnessed the WMIPRVSE service running on their Windows XP/2003 PC, and then notice it running one day and every day thereafter : this is also normal and will in most cases be the result of some software having been installed (and installing WMI provider services) or the result of a Windows Update. Finally, as with SVCHOST, if you experience errors or excess CPU usage with WMIPRVSE, the problem will in almost all cases be with the WMI provider process that WMIPRVSE is hosting, not with WMIPRVSE itself, or you may have a hardware problem or incompatibility which is not yet at the "serious" stage ? see if Microsoft?s Windows Update has WMI related fixes for your PC/Server; also, on a network, we have empirical evidence that poor network card drivers or chipsets on any part of the network may result in excessive CPU usage by WMIPRVSE.

    thank you
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you, subratam! I appreciate the info. Looks like another case of "ignore the log entry and move along", to me. Pete
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    My pleasure

    nice to come of to your help

    take care
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sub,

    Please state your sources.
    http://www.answersthatwork.com/Tasklist_pages/tasklist_w.htm

    TIA,

    Pieter
     
  6. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    spy1,
    Sorry for the delayed response. I just came across your thread in a Google search. I was researching the same problem you had. I also use PG and it seems that a better solution than ignoring the log entry would be to add the wmiprvse.exe file to your list of protected programs and allow it Read and GetInfo privilages. You may have already done this, or even forgot about this issue by now, but I thought I'd offer the suggestion anyway. Let me know what you decided.
     
  7. cpraimos

    cpraimos Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    1
    Hello,
    Interesting story to explain real quick! Im currently running Windows 2003 Server standard edition & also running Microsoft Exchange 2003. About 5 days ago I discoverd I wasn't able to login to my Exhange server. The connection kept timming out. After trying several attempt from different locations. I decided to check out the Server it self to see what was going on. I quickly discoverd the system was running really slow and I decided to reboot the server. After rebooting the server I relized that in my task manager under processes I found wmiprvse.exe running 15 times. Searching google I found several different solutions many of them point to W32/Sonebot-B virus and TROJ_GLETTA.A virus and sasser worm. :mad: After searching google and making sure I have no virus or worm on my server, I searched the Microsoft website and found kb article @ microsoft 835438 which tells me to call them or wait for the next service pack. After going insane with little to no help :doubt: I figured I would go back to the basics of troubleshooting!

    Here was the answer to the problem. I recently started running my own global dns server. I decided to mirrior the dns on my exchange server and on my primary server. Turns out this was causing a conflict because both of the servers had the same domain name which was crashing my exchange server. To resolve this problem changed the name on my exchange server and rebooted the server and the problem was solved!

    No virus, no service pack needed

    Any ways hope this helps!
    Chris
     
  8. WishBone6000

    WishBone6000 Guest

    MAJOR WARNING

    I have been cleaning this file from Windows 2000/XP workstations as it is also a trojan. I cannot find ANYTHING about this on the web - I keep, instead, finding forums like this discussing the legitimate use of the normal file.

    This thing is visible in the Task Manager but when instructed to stop, it reappears immediately.
    I cannot, as yet, find a registry entry for it, nor do I know what it is unpacvking/running but it does redirect the IE default page every 15 seconds (in case you've changed it back). Other damage/hijacking I don't know yet.

    only method of removal was to reboot workstation using 2000/XP CD in "Recovery Console" mode and rename the file to something else and replace it with a NOTEPAD.EXE instead. Notepad ran 3 times when the machine booted up again! I found it in the WBEM folder. I did read that the legitimate file resides only in the SYSTEM32 folder but not sure if this accurate.

    Suffice to say that it MAY belong/be expected on servers but NOT on Workstation operating systems so if you find it, kill it as its a hijacker.

    Thanks - oh and PLEASE spread the word because I can't find this ANYWHERE at the moment!
     
  9. neosun

    neosun Guest

  10. neosun

    neosun Guest

    you see the registry entrys on the button "description"
    mfg neosun@uboot.com
     
  11. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    Hum, I have never seen more than one instance of wmiprvse.exe running. Though, I agree, it is completely normal seeing WMI services running occasionally, at least they are on my computer.


    I surely agree with that. Though I have non-pathched computer and the file was there from Windows XP Pro installation (though, I downloaded "fresh" files during installation procedure, but I doubt WMI is missing in installation CD.

    In my case, WMI processes, i.e. files in %SYSTEMROOT%\system32\wbem\ are executed in at least two cases. In one, it is completely without my intervention, I second, "cause" that execution (by starting some program, see below)

    1. In first case, as mentioned D:\WINDOWS\System32\wbem\wmiprvse.exe, is started continuously, let say every 2-4 hours, by HelpSvc.exe with /Embedding switch, which resides in "D:\WINDOWS\PCHealth\HelpCtr\Binaries", and is mostly used by HelpCtr.exe (Microsoft Help and Support Center). The WMI is a rather special process, Win32 Job. In my case, it runs with 32 "active processes", and Job's NT Object Manager name is \BaseNamedObjects\WmiProviderSubSystemHostJob ...

    Well, finally wmiprvse.exe starts logging some data in D:\WINDOWS\system32\wbem\Logs\, particulary in file FrameWork.log, runs for a minute or so, and then closes. There are entries like these inside it (see yourself on your machine):

    Code:
    Unable to locate Shell Process, Impersonation failed.   09/02/2004 14:18:05.133    thread:996   [d:\xpclient\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
    Shell Name explorer.exe in Registry not found in process list.   09/02/2004 14:18:05.153    thread:1676   [d:\xpclient\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
    


    2. For second case, I would rather paste text from my mail to authors of this program, that uses WMI for memory management. Let me just say here are started two WMI related processes, wmiprvse.exe and wmiapsrv.exe ...



    Cheers
     
    Last edited: Sep 4, 2004
  12. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia


    Sorry guys for double posting, but I suddenly just couldn't see that EDIT button, nor with IE, nor with Mozilla Firefox, cause I wanted to add that bolted text.


    Cheers
     
  13. clokkevi

    clokkevi Registered Member

    Joined:
    Oct 19, 2004
    Posts:
    1
    No - it's the opposite! :)

    The good one is %SYSTEMROOT%\system32\wbem\wmiprvse.exe
    - located among all the other wmi*.* files.


    The bad one is %SYSTEMROOT%\system32\wmiprvse.exe
    - and it will of course need "extra help" to get started each time Windows starts;
    it will make a reference to itself in the start-up lpace of the Windows Registry,
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
     
  14. We had exactly the same problem when migrating from an NT 4.0 server to a Windows 2003 server with Exchange 2003. The wmiprvse.exe process appeared in the Task Manager list several times, and we found out that the problem was that the old (legacy) server was connected to the server, and both were domain servers, using the same domain name.

    It is important to know that there was only one DNS server running (the new server), so we believe that this problem could is related to WINS (domain name service), and not only DNS.

    Thanks for the hint!

    Friendly Team
     
  15. mizzl

    mizzl Guest

    Its Having two PDCs (Primary Domain Controllers) on the same network both trying to control the same domain. Big trouble.

    To solve this mess, open AD right click on the domain and choose "operation manager" make sure that both servers arn't trying to take ownership of the PDC RIS or ISM
     
Thread Status:
Not open for further replies.