WMIPRVSE.EXE running at high CPU utilisation

Well… I think I’ve solved this one.
I took a call saying that one of our servers was running really slowly, and sure enough it was. Every few micro seconds, the CPU would peak at 100%, then drop to somewhere around 70%/80% then peak again. Over and over and over. Searching the web was a bit hopeless- there are hotfixes from Microsoft to solve this problem in specific circumstances, but as this server was neither (a) and SMS server (b) isn’t a domain controller and (c) isn’t server 2008 none of their KB articles applied. Other sites implied WMIPRVSE.EXE can be a virus, but the version on this server didn’t match that either (would have been annoyed at our AV solution if this was the case!)
Started off with the obvious- stop our AV agents, stop our Management platform agents… nothing. Just the CPU peak and trough as described above.
Looking at the application event log, I noticed that (approx 1656 times every second. Yes, I am that sad) an entry was being logged saying:
"Error opening event log file Windows PowerShell. Log will not be processed. Return code from OpenEventLog is 1338"
And when I tried opening the PowerShell event log, it would complain about security descriptors (forgot to screenshot it) and refused to open. After being unable to find any way of uninstalling PowerShell (even though it was obvously there ‘cos I could run it), I eventually found that PowerShell 2 was bundled into an update called "Windows Management Framework Core package (Windows PowerShell 2.0 and WinRM 2.0)" (links below).
I then found out how to uninstall it (Regedit>HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\KB968930\UninstallString) which left me with this:
"C:\WINDOWS\$950099Uinstall_KB968930$\spuninst\spuninst.exe" /norestart
(I added the /norestart myself as this is a production server, didn’t think it was such a bright idea to accidentally reboot a server in the day). The moment this finished running, all the event entries stopped, the PowerShell event log disappeared and the CPU barely seems to have gone over 20%. I guess the next stage is to reinstall the above hotifx and see if it behaves.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s