Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Utilities Suggestions
  New Posts New Posts RSS Feed - Tools to trace WMI requests
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Tools to trace WMI requests

 Post Reply Post Reply
Author
Message
Loic View Drop Down
Newbie
Newbie


Joined: 08 February 2018
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Loic Quote  Post ReplyReply Direct Link To This Post Topic: Tools to trace WMI requests
    Posted: 08 February 2018 at 11:29am
Hi, 
I regularly found workstations having huge I/O read bytes for wmiprvse process, and found hard to diagnose. What do you think to create a tool that will trace the WMI requests and the size of the responses ?
Regards, 
Loïc
Back to Top
MagicAndre1981 View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 08 January 2007
Location: Germany
Status: Offline
Points: 3472
Post Options Post Options   Thanks (0) Thanks(0)   Quote MagicAndre1981 Quote  Post ReplyReply Direct Link To This Post Posted: 08 February 2018 at 6:41pm
use xperf to capture WMI calls and look for the ClientId to see which process is doing the action:

https://i.stack.imgur.com/N9HtQ.png

https://superuser.com/a/949470
Back to Top
Loic View Drop Down
Newbie
Newbie


Joined: 08 February 2018
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Loic Quote  Post ReplyReply Direct Link To This Post Posted: 08 February 2018 at 7:12pm
Hi MagicAndre1981thanks for your reply. I'm already able to retrieve these informations from Windows eventlog. But it lacks the volume of data sent in the query's response. In fact some wmi class contains pretty huge number of information and it's hard top tell wich ones without runing the queries, see what I mean?
Back to Top
Loic View Drop Down
Newbie
Newbie


Joined: 08 February 2018
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Loic Quote  Post ReplyReply Direct Link To This Post Posted: 09 February 2018 at 6:18am
FYI this is what I'm using to get the number of wmi queries that have ran in the last 4 hours
$wmilog=Get-WinEvent -ListLog "*wmi*" |select -expand logname
Get-WinEvent -FilterHashtable @{logname=$wmilog ;id=5858;starttime=((get-date).AddHours(-4))}  |
 ?{$_.message -match "execquery"} |select @{name="request";expression={($_.message.split(';')[5]).split('-')[1] }} |Grou
p-Object request |select count,name |sort count -desc | ft -AutoSize -Wrap
this give me this result
Count Name
----- ----
    6  ROOT\CIMV2 : SELECT ChassisTypes FROM Win32_SystemEnclosure 
    4  root\ccm\policy\machine : select Sign, Encrypt from InventoryClientAuthenticationConfig where
      InventoryActionID="{00000000
    2  root\cimv2 : select MaxClockSpeed from Win32_Processor 
    2  ROOT\CIMV2 : SELECT * FROM Win32_PCMCIAControllerDevice 
    1  root\CIMV2 : SELECT SMBIOSAssetTag FROM Win32_SystemEnclosure  
    1  root\CIMV2 : SELECT uuid FROM win32_computersystemproduct  
    1  ROOT\CIMV2 : SELECT ID FROM Win32_ServerFeature 
    1  ROOT\CIMV2 : SELECT SerialNumber FROM Win32_OperatingSystem 
    1  root\Microsoft\Windows\DeviceGuard : SELECT AvailableSecurityProperties FROM Win32_DeviceGuard  
    1  root\Microsoft\Windows\DeviceGuard : SELECT SecurityServicesRunning FROM Win32_DeviceGuard  

Back to Top
MagicAndre1981 View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 08 January 2007
Location: Germany
Status: Offline
Points: 3472
Post Options Post Options   Thanks (0) Thanks(0)   Quote MagicAndre1981 Quote  Post ReplyReply Direct Link To This Post Posted: 09 February 2018 at 6:01pm
but this doesn't show the ProcessId which is important to see which tool calls the WMI
Back to Top
Loic View Drop Down
Newbie
Newbie


Joined: 08 February 2018
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Loic Quote  Post ReplyReply Direct Link To This Post Posted: 09 February 2018 at 6:44pm
This is not what I was looking for in this case but the PID is also available in the eventlog
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.