Filemon Windowx XP System32 WBEM wmiprov & wbemess log
Tom Quan
My WinXP is often crashing so I resorted to filemon debugging (among
others) to see what files were being accessed & what they were doing.
Is it normal for filemon to report thousands upon thousands of this?
c:\windows\system32\wbem\logs\wmiprov.log
Inside, is it normal to find the same error thousands of times?
c:\windows\system32\wbem\logs\wmiprov.log
------------
(Sun Dec 18 10:07:19 2005.335892) : The instance name passed was not
recognized as valid(Sun Dec 18 10:07:19 2005.335892) :
(Sun Dec 18 10:07:19 2005.335973) : WDM call returned error: 4201
c:\windows\system32\wbem\logs\wbemess.log
------------
(Sun Dec 18 10:07:19 2005.987289) : NT Event Log Consumer: could not
retrieve sid, 0x80041002
In summary, do you have insight into why filemon report thousands upon
thousands of access to wmiprov.log and why these logs contain these errors?
Notes: Please prune cross list as needed as I didn't know where to ask.
Tom Quan
> thousands of access to wmiprov.log and why these logs contain these errors?
If it helps us get to the bottom of this, here is the filemon log showing
constant and repetitive access to wmiprov.log yet not showing SUCCESS even
though the content of the logs seem to show constant failure (as noted).
5 10:20:08 AM wmiprvse.exe:1660 FASTIO_QUERY_STANDARD_INFO
C:\WINDOWS\system32\wbem\Logs\wmiprov.log SUCCESS Length: 9225
6 10:20:08 AM wmiprvse.exe:1660 FASTIO_QUERY_STANDARD_INFO
C:\WINDOWS\system32\wbem\Logs\wmiprov.log SUCCESS Length: 9225
7 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_WRITE
C:\WINDOWS\system32\wbem\Logs\wmiprov.log SUCCESS Offset: 9225 Length: 78
8 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_CLEANUP
C:\WINDOWS\system32\wbem\Logs\wmiprov.log SUCCESS
9 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_CLOSE
C:\WINDOWS\system32\wbem\Logs\wmiprov.log SUCCESS
10 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_CREATE
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS Options: OpenIf Access:
All
11 10:20:08 AM wmiprvse.exe:1660 FASTIO_QUERY_STANDARD_INFO
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS Length: 9303
12 10:20:08 AM wmiprvse.exe:1660 FASTIO_QUERY_STANDARD_INFO
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS Length: 9303
13 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_WRITE
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS Offset: 9303 Length: 89
14 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_CLEANUP
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS
15 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_CLOSE
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS
16 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_CREATE
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS Options: OpenIf Access:
All
17 10:20:08 AM wmiprvse.exe:1660 FASTIO_QUERY_STANDARD_INFO
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS Length: 9392
18 10:20:08 AM wmiprvse.exe:1660 FASTIO_QUERY_STANDARD_INFO
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS Length: 9392
19 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_WRITE
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS Offset: 9392 Length: 39
20 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_CLEANUP
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS
21 10:20:08 AM wmiprvse.exe:1660 IRP_MJ_CLOSE
C:\WINDOWS\system32\WBEM\Logs\wmiprov.log SUCCESS
Wesley Vogel
wmiprov.log
Mostly necessary for WMI script developers or system administrators when
searching for the cause of errors. For the average user these logs make no
sense and can just as well be disabled to avoid unnecessary I/O and
defragmentation.
C:\WINDOWS\system32\wbem\Logs
Administrative Tools | Computer Management | Click on [+] Services and
Applications | Right click on WMI Control | Click on properties | Click on
Logging. Change the logging level to Disabled.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:pwal843sf29j$.32jh2rjt...@40tude.net,
Tom Quan <tq...@telleride.com> hunted and pecked:
Tom Quan
>> Is it normal for wbem logs to constantly report repeated errors?
> Disable WMI logging.
> Administrative Tools | Computer Management | Click on [+] Services and
> Applications | Right click on WMI Control | Click on properties | Click on
> Logging. Change the logging level to Disabled.
Hi Wesley,
Are you saying these errors in the wmi log files are meaningless?
I'm confused. If I disable the Windows Management Instrumentation (WMI)
logs, will that make the errors go away or just not report them?
TQ
Tom Quan
I looked up what happens if I kill this service and I'm even more confused.
While the filemon.exe log does not show the failure which exists inside the
wmiprov.log and wbemess.log files, filemon does implicate the process which
is constantly being called as "wmiprvse.exe" (whatever that is).
Looking this up, I find wmiprvse.exe is a Windowx XP SP2 Windows Management
Instrumentation (WMI) process which is not supposed to be killed according
to http://www.auditmypc.com/process/wmiprvse.asp
Process Library & Answers that Work imply this service essential to XP:
http://www.processlibrary.com/directory/files/wmiprvse
http://www.answersthatwork.com/Tasklist_pages/tasklist_w.htm
It may be useful to note my anti-virus software has been running and is up
to date even though this intermittent daily Windows XP lockup has been
occurring for weeks.
Are you sure that killing the wmiprvse service will solve the problem
intimated by the constant errors in the WBEM log files?
Wesley Vogel
service. Leave it set to Automatic in services.msc.
I suggested disabling WMI logging. I have it disabled. My wmiprov.log is
0KB.
The following has nothing to do with the Windows Management Instrumentation
service.
All it does is disable WMI logging so that nothing is added to the
wmiprov.log.
Administrative Tools | Computer Management | Click on [+] Services and
Applications | Right click on WMI Control | Click on properties | Click on
Logging. Change the logging level to Disabled.
Apparently you have WMI logging set to verbose. That means that it shows
not only errors, but SUCCESS as well.
[[Verbose logging can negatively impact system performance, so select
Verbose only when you need more extensive information about the events
leading to errors. ]]
To turn WMI error logging on or off
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/wmi_turn_error_logging_on_off.mspx
You do what ever you want.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:loo5byk23neu$.1xdiea6n...@40tude.net,
Tom Quan <tq...@telleride.com> hunted and pecked:
Tom Quan
> I did not post anything about the Windows Management Instrumentation
> service. Leave it set to Automatic in services.msc.
> I suggested disabling WMI logging.
Oh. OK. I am less confused now. Thank you for your patience. I've never
encountered this thing called windows management instrumentation before so
I'm starting with a knowledge base of zero (other than what I glean from
google and learn from you from your kind efforts).
I right clicked on the WinXP SP2 "My Computer", pressed "Manage", "Services
and Applications", and right clicked on "WMI Control", "Properties" which
then said "Connecting to Windows Management" and brought up a 5-tab "WMI
Control Properties" form.
Pressing on the "Logging" tab for the first time, I see it was actually set
to "Errors only". As a test, I set it next to "Verbose" and noticed LOTS of
new logs showed up in C:\windows\system32\wbem\Logs, e.g., Framework.log,
provss.log, wbemcore.log, WinMgmt.log, wbemprox.log, etc.
Looking in the various logs, I find strange reports such as:
CWbemProviderGlue::Init 12/18/2005 11:14:14.228 thread:3982
[d:\xpsprtm\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.199]
Failed to open thread token: (1008) 12/18/2005 11:14:14.228 thread:3984
But my D: drive is almost wholly empty (except for something hidden called
"System Volume Information" and "MSOCache".
Do these tell us anything?
Tom Quan
Doing the diligent search on CwbemProviderGlue init calls, I see whatever
they are, Microsoft feels they are obsolete according to
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/cwbemproviderglue.asp
which says
"CWbemProviderGlue ties the Component Object Model (COM) interfaces of the
Windows Management Instrumentation (WMI) API to the classes derived from
the Provider class, and supplies methods for providers to use to query each
other."
May I ask what a "PROVIDER" is (or am I barking up the wrong tree)?
TQ
David Candy
--
--------------------------------------------------------------------------------------------------
Goodbye Web Diary
http://margokingston.typepad.com/harry_version_2/2005/12/thank_you_and_g.html#comments
=================================================
"Tom Quan" <tq...@telleride.com> wrote in message news:xie5bbvop7tf.8i3q7v9n2tl5$.dlg@40tude.net...
Sam Hobbs
news:xie5bbvop7tf.8i3q7v9n2tl5$.dlg@40tude.net...
>
If you don't have a use for it then it is useless for you. If you do have a
use for it then it can be very useful.
There is an abuncance of information about "Windows Management
Instrumentation" (WMI) and the corresponding industry standard "Web-Based
Enterprise Management" (WBEM). The Windows SDK documentation is at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_start_page.asp
WMI can be very useful for developers, including script developers. It is
often easy to write a simple script htat is very useful. The "Script Center"
has samples and tutorials in which many use WMI; see:
http://www.microsoft.com/technet/scriptcenter/default.mspx
In there is the "WMI Scripting Primer" that should be useful; see:
http://www.microsoft.com/technet/scriptcenter/guide/sas_wmi_overview.mspx
You should search for information such as that and read some of it before
asking for help. Asking general questions such as "Is it useful?" assumes
that volunteers will be eager to repeat for you what is already easily
available to you.