- 2shared
- 0Facebook
- 2Twitter
- 0VKontakte
- 0Odnoklassniki
No matter how Microsoft is criticized for its overly intrusive policy, the company's main product, which is Windows, remains and will remain the most widespread operating system for a long time. Modern versions of Windows are distinguished by powerful expandable functionality, high stability and security - qualities that make this OS so popular. And yet, like all other systems, it is not perfect.
From time to time, Windows 7/10 users still have to deal with various kinds of problems caused by incorrect operation of the operating system components themselves. One example is the excessive activity of the WMI Provider Host process, sometimes using up to 95 percent of the CPU.
The consequences of such CPU load are more than obvious - system performance decreases sharply, and the computer begins to slow down, preventing the normal operation of programs. But what is this WMI Provider Host, why does it behave this way and how to make it work?
WMI Provider Host - what is this process and why is it needed in Windows 7/10
Let's start with the fact that WMI Provider Host is not a third-party component, but a standard Windows system process that manages equipment connections. The list of such equipment includes external hard drives, printers and scanners, flash drives, mice and keyboards, etc., but not built-in elements such as video and audio cards. The process is also involved in obtaining information about the operation of Windows by various software and administrative scripts.
the wmiprvse.exe executable file , located in the C:/Windows/System32/wbem or C:/Windows/SysWOW64/wbem folder on 64-bit systems.
The process is not critical, so you can forcefully terminate it through the Task Manager. However, such a permanent shutdown is undesirable, as it can disrupt the operation of connected devices to the point that the computer no longer recognizes them.
Checking your computer for viruses
If no methods lead to a reduction in the load of the WMI Provider process, then virus activity can be suspected. The virus of the same name “wmiprvse.exe” makes changes to the DNS settings and also changes the Hosts file. In this case, the user not only faces unstable operation of the OS, but also problems accessing the Internet.
We need to make sure that this is really a malicious program:
- go to the “ Task Manager ” by launching it with the key combination “Ctrl+Shift+Esc”;
- select the “WmiPrvSE” process and right-click on it, in the context menu click “ Open file location ”;
- Explorer will open, showing the directory in which the file is located. By default, the directory path looks like this: “C (system drive letter may vary): /Windows/System32/wbem.” If the path is different, we can conclude that it is a virus. For additional diagnostics, let's check the file properties;
- Right-click on “WmiPrvSE” and select “ Properties ” in the context menu. In the “Details” tab, pay attention to the “Copyright” item, “ Microsoft Corporation ” should be indicated, if it says otherwise, we have provided us with malware disguised as a system component.
This application is blocked for security purposes - how to resolve the error
We clean the system from viruses using anti-virus software installed on the PC. For effective detection, you will need to run a deep system scan .
If you don’t have an antivirus, you can download the Dr.Web Cureit or Kaspersky Virus Removal Tool utility.
Why WMIPrvSE.exe starts to load the processor heavily and how to identify the source
We found out what kind of process wmiprvse.exe is, now let’s look at examples when it can start to load the processor. In the normal state, the WMI Provider Host, if it loads the CPU, does not last long and after data collection is completed, it either shuts down or continues to remain active, consuming very few resources. But under certain circumstances, a process can begin to load the CPU heavily and constantly. This is possible when:
- Connecting new equipment whose drivers do not work correctly;
- Installation of software that is not properly optimized for the OS version being used or does not work correctly;
- Active Windows update procedure;
- Updating third-party programs or drivers installed by them into the system;
- The operation of any programs that create an increased load on the video card;
- Viral activity.
Checking third-party software and peripherals
There is no universal way to fix the problem, and therefore the problem is solved by eliminating possible causes. If the WMI Provider Host process is using a lot of CPU after installing an application, try running it in compatibility mode with an earlier version of the system or uninstalling it. Uninstall the cumulative update or perform a system rollback if the process begins to behave incorrectly.
If you think the problem is with a device, unplug it and check the system. You can also update/roll back device drivers, since most often problems arise when the software does not work correctly. Not sure what device is causing the WMI Provider Host CPU to load? Open Device Manager and try to sequentially disconnect the mouse, USB input devices, printer, scanner, webcam and other external devices, each time checking the behavior of wmiprvse.exe.
If a problematic device is detected, we try to roll back or, on the contrary, update its drivers.
Restarting the Windows Management Instrumentation service
In many cases, high CPU usage can be caused by Windows Management Instrumentation service not working properly. Try restarting it.
Open the Run window using the Win + R keys, type the command services.msc and confirm its launch with Enter.
In the list, find Windows Management Instrumentation. Right-click on it and select Restart.
Now you need to restart the associated services. Close the window and right-click on the Start icon. In the context menu, go to “Command Prompt (Administrator). To open the command line in Windows 7, open the search bar, type cmd and right-click to run it as administrator.
In the console, enter the listed commands one after another, confirming the launch of each with Enter.
net stop iphlpsvc
net stop wscsvc
net stop winmgmt
net start Winmgmt
net start wscsvc
net start iphlpsvc
Close Command Prompt and restart your computer. The CPU load generated by the WMI Provider Host process should be significantly reduced.
Excluding services
Be sure to check the impact of third party services. Open the msconfig , go to the “Services” tab, check the “Do not display Microsoft services” checkbox, then disable all remaining services and reboot.
If the problem disappears, then it is obvious that one of the background services is at fault. Turn them on one by one and check as you go that the wmiprvse.exe process is working correctly. It is recommended to do the same actions with startup in the Task Manager.
Finding the problematic application
The hardest part is finding the component that is stressing the process with its calls.
- One by one, we disconnect external devices (mouse, keyboard, webcam, printer, flash drives, etc.) and look at the load level. If, after disconnecting the next device, the process returns to normal, then the culprit has been identified.
- We remove dubious applications that were recently installed. We pay special attention to sets of widgets that collect system information to display component temperatures, memory status, etc.
If you find that an external device is at fault, you need to update its drivers or stop using it. To update the driver:
- Open "Device Manager".
- We find a device that, when disconnected, reduced the load.
- Right-click on it and select the “Update Driver” option.
- We launch an automatic software search.
Drivers need to be updated to avoid errors.
If the automatic search does not produce results, then I go to the equipment manufacturer’s website and check for the availability of drivers. There is software - download and install manually. No software - it seems that we will have to abandon this equipment, which inadequately loads the WMI Provider Host service.
A service or program can also affect the state of a process. There are two ways to find the culprit. The first is a manual search: we disable non-system components one by one and restart the computer each time.
- Press Win+R to launch the Run window.
- Enter the msconfig command.
- Go to the “Services” tab.
- ABOUT.
We leave only third-party services
- Click “Disable all” to deactivate third-party services.
- Go to the “Startup” tab and click on the “Open Task Manager” link.
- Disable all startup components and restart the computer.
Remove all programs from the startup list
If, after restarting the system, the excessive load on memory disappears, then you should look for its cause in the services and programs that were disabled. To determine the application causing the error, you need to return to the “Services” tab, enable all third-party components in turn, restart the computer and check the status of the WMI Provider Host process each time. If the source is detected, you must disable the service or uninstall the application.
The second way to find applications or services that are running erroneously is to use the Windows Event Viewer tool.
- Press Win+R to launch the Run window.
- Enter eventvwr.msc to go to “Event Viewer”.
- Expand the “View” menu and o.
- Open the blocks “Application and Service Logs” – Microsoft – Windows – WMIActivity – Operational.
- In the middle part of the window we see a list of events. In it you need to find lines with the “Error” level. If there are several of them, then we select the last few in time.
- Left-click on each event with the “Error” level and on the “General” tab find the ClientProcessId value. We need its number - for example, 948. Different errors may have different different numbers - write them all down.
The event log records all system errors
If the log was not maintained, you need to enable it. To do this, in the WMIActivity section, select Trace and in the “Actions” block go to properties. On the “General” tab, click “Apply”. After updating the logs, information about active processes and their level will appear on the main page.
Enable logging to save system events
After determining the ClientProcessId number, launch the “Task Manager” and go to the “Details” tab. In the “Process ID” column we look for the numeric combinations that we received in the event log.
By the numerical value we determine the process that is working with an error
Once the relevant process is discovered, you need to decide what to do with it.
- If this is a system process, then before disabling it, be sure to look for which Windows components it is responsible for, and whether it can be deactivated. If not, then how can you solve the problem with its erroneous operation.
- If this is an application process, then uninstall it and install it again.
- If the process is of unknown origin, run an anti-virus scan and delete all detected malicious files.
It is not necessary to immediately disable the process; first, we try to restart it, that is, cancel the task and then re-open the executable file.
Troubleshooting process
Knowing what a WMI Provider Host is is not enough; you also need to be able to identify other processes accessing it. This is important because if a third-party process requests a large amount of information from the WMI provider, in this case wmiprvse.exe, the latter will create increased load. Open the Windows Event Log with the command eventvwr.msc , in the “View” menu enable “Display analytical and debugging logs”, and then go on the left to the Application and service logs – Microsoft – Windows – WMI-Activity setting. Right-click on the “Trace” element and select “Enable Logging”.
After saving the settings and updating the logs, after some time, entries will appear in the middle column of the Event Log, among which you need to find lines with the ClientProcessId . The value of this parameter will be the identifier of the process that accesses wmiprvse.exe. Knowing the ID, you can easily determine the executable file of the process in the Task Manager by switching to the “Details” tab.
There is also another very similar way to look for the process accessing the WMI provider. Instead of the "Trace" element in the WMI-Activity section, select "Operational" and examine the latest entries with the "Error" level. On the “General” tab, we also look for the ClientProcessId parameter, look at its identifier and use it to identify the process in the Task Manager.
Have you decided what to do next? This is a completely different question. The reasons for processes not working correctly can be very different, and if they belong to third-party applications, try reinstalling them first. If you are dealing with a non-critical system process, you can try disabling its autoloading in the registry.
Searching of decisions
Based on the above possible causes, you should determine the initial range of actions that involve identifying and eliminating the sources of freezing:
- In the Task Manager, identify other processes that also have a significant impact on the CPU, since it is their access to WMI that can cause the problems in question. For analysis, perform the following manipulations:
- using the key combination “WIN + R” and the command “Eventvwr.msc” open the “Event Viewer” section;
- Next, go to “Application and Services Logs” – “Microsoft” – “Windows” – “WMI Activity” – “Operational” and pay attention to the latest recorded errors;
- click on one of them and on the “General” tab, pay attention to the “ClientProcessID” parameter, where a specific process identifier will be indicated, which is the cause of a particular error.
It is worth considering that you should only view the latest error records, since the system automatically changes identifiers, and many of them will simply no longer be relevant at the time of verification.
- open the “Task Manager”, go to the “Details” tab, sort the list by the “ID” column and find the “culprit”, the number of which is indicated in the above-mentioned “ClientProcessID” line;
- further actions will depend on what exactly was detected; it could be closing the program or restarting it.
- if the problem occurs after connecting any device or after any deliberate manipulation of system files, disable them, temporarily suspend all active activities and check the “CPU” load;
- Restart Windows Management Instrumentation, to do this:
- press the key combination “WIN+R” and execute the command “services.msc”;
- in the “Services” window that opens, find the line “Windows Management Instrumentation” in the list, select it by clicking and click on the “Restart” button.
It is also worth noting that it would not be superfluous to check that the operating system is working correctly in “Safe Mode”.
Virus
Unfortunately, quite often virus software is disguised as “WMI Provider Host”, and, despite the ease of identifying “fake” software, not every user responds to the problem in a timely and correct manner. Signs of virus software include:
- Location – system files are located in the corresponding folders – “Windows”, “System”, “System32”, and most “ordinary viruses” cannot access them;
- To confirm this theory, open the “Properties” of the “WMI Provider Host” process and go to the “Details” tab, where you will notice the signature in the “Authorship” line.
In addition, an indirect sign of the effect of viruses is the constancy of the load, which fluctuates around 85 - 90% in relation to the “CPU”. If the candidate you are checking does not pass these checks, use any anti-virus software, and also clean the registry in any convenient way.
How to completely disable the service, and what the consequences may be
So, now you know what wmiprvse.exe is, what this process does, and what can cause it to become more active. You also know what actions should be taken to find out the reasons for such activity. But that is not all. If the WMI Provider Host continues to load the processor, it is permissible to take a radical measure - stop its service. To do this, run the services.msc command, find the Windows Management Instrumentation service in the list, open its properties, select “Disabled” in the startup type dialog box, and then click “Stop” and “Apply”.
When you do this, Windows will inform you that Security Center and the IP Helper Service will also be stopped. As a result, the security level of the system will be reduced and it will become more susceptible to external threats, however, if you use a third-party antivirus, the warning can be ignored.
Will there be problems with external devices after this? It's possible, but it doesn't have to happen. In any case, you can always enable the corresponding service in the same way as you disabled it.
- 2shared
- 0Facebook
- 2Twitter
- 0VKontakte
- 0Odnoklassniki
How to disable WMI Provider Host
It is theoretically and technically possible to disable the Windows Management Instrumentation service on your computer in the Windows Service Control window. However, we do not recommend doing this, since disabling it may result in the failure of various Windows components or installed applications. WMI Provider Host is an important part of the operating system, so just leave it alone. Instead of clearing the task in Task Manager or disabling Windows Management Instrumentation, you should look for a third-party process that is causing a constant load on your computer's hardware. WMI Provider Host has nothing to do with it, so disabling it will not fix the problem.