I have a Xenapp environment, running 2012R2 servers on ESXi 6 hosts. VDA version 7.16. The servers are provisioned using MCS. CPM is used to manage profiles. Sophos antivirus is installed with Citrix and Microsoft recommended exclusions.
The WMIPRVSE service running under the NETWORK SERVICE user context will periodically use constant excessive CPU. Running procmon shows that it is constantly touching the file tzres.dll and its associated mui. It also tries and fails to read the non existent registry key HKEY_USERS\S-1-5-20\Software\Citrix\SessionSfr\0. I can eliminate this by creating the key.
The WMI-Activity Trace log shows constant Event 12s from CIMWIN32 under this PIDs HostID, executing this query:
Running this query manually gives extensive output. The WMI repository validates OK.
There do not appear to be any corresponding event 11s to show the ClientProcessID.
The issue still occurs with the VMTools, Citrix Broker, telemetry, CPM and End User Experience monitoring services stopped and disabled. I have excluded tzres.dll and the WBEM folders from on access AV scanning.
If I kill the wmiprvse process, it immediately starts again using high CPU. The only thing I have found which stops the excessive CPU usage is to rename the cimwin32.dll file. Once this is done and the wmiprvse is ended it will start without the excessive CPU usage. However, I don't know what negative effects this may have. Procmon shows it is still trying to repeatedly access cimwin32.dll.
Question
Scott Knights
I have a Xenapp environment, running 2012R2 servers on ESXi 6 hosts. VDA version 7.16. The servers are provisioned using MCS. CPM is used to manage profiles. Sophos antivirus is installed with Citrix and Microsoft recommended exclusions.
The WMIPRVSE service running under the NETWORK SERVICE user context will periodically use constant excessive CPU. Running procmon shows that it is constantly touching the file tzres.dll and its associated mui. It also tries and fails to read the non existent registry key HKEY_USERS\S-1-5-20\Software\Citrix\SessionSfr\0. I can eliminate this by creating the key.
The WMI-Activity Trace log shows constant Event 12s from CIMWIN32 under this PIDs HostID, executing this query:
ProviderInfo for GroupOperationId = 64558; Operation = Provider::ExecQuery - CIMWin32 : select __RELPATH, __RELPATH, __DERIVATION, Name, SessionId from Win32_Process; HostID = xxxxx; ProviderName = CIMWin32; ProviderGuid = {d63a5850-8f16-11cf-9f47-00aa00bf345c}; Path = %systemroot%\system32\wbem\cimwin32.dll
Running this query manually gives extensive output. The WMI repository validates OK.
There do not appear to be any corresponding event 11s to show the ClientProcessID.
The issue still occurs with the VMTools, Citrix Broker, telemetry, CPM and End User Experience monitoring services stopped and disabled. I have excluded tzres.dll and the WBEM folders from on access AV scanning.
If I kill the wmiprvse process, it immediately starts again using high CPU. The only thing I have found which stops the excessive CPU usage is to rename the cimwin32.dll file. Once this is done and the wmiprvse is ended it will start without the excessive CPU usage. However, I don't know what negative effects this may have. Procmon shows it is still trying to repeatedly access cimwin32.dll.
Anybody have any idea on where to look next?
Link to comment
17 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now