Diagnose and repair problems with the WMI service


Hello,

This post is about the Utility for Diagnosing and Repairing Problems with the WMI Service. This analyses should be done for specific problems, but also to prevent any problem and correct any issue that could be detected.

You can read more about The WMI Diagnosis Utility here, http://technet.microsoft.com/en-us/library/ff404265.aspx, and you can download it here http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7684.

You can read about WMI logging here http://msdn.microsoft.com/en-us/library/windows/desktop/aa394564%28v=vs.85%29.aspx, and just for information by default all WMI Logs can be found in this location “%windows%\system32\wbem”.

After you download and extract the files, in my case to d:\wmi, run from the command line WMIDIag.vbs

Wait a few minutes and a report will be generated, an notepad window will appear.

All the logs are in this location “%userprofile%\appdata\local\temp” and start with the name “WMIDIAG-V2.1_……”.

Now we can analyse the information that was reported, this is one of the files that were generated, you can have access to the extended report in the end of this file.

In the report that was created many things are checked, and you can see detailed information about System and hardware.

This is part of the report where you can see all the reboots that happened in the last 3 years, and windows version.

"..
36424 14:23:35 (0) ** -------------------------------------------------------------------------------------------------
36425 14:23:35 (0) ** Windows Server 2003 - Service pack 2 - 32-bit (3790) - User 'xxxxxxxxxxxxxx' on computer 'xxxxxxxxxxx'.
36426 14:23:35 (0) ** ------------------------------------------------------------------------------------------------
36427 14:23:35 (0) ** INFO: Environment: ...................................................................... 1 ITEM(S)!
36428 14:23:35 (0) ** INFO: => 47 possible incorrect shutdown(s) detected on:
36429 14:23:35 (0) **          - Shutdown on 12 December 2008 21:37:18 (GMT-0).
36430 14:23:35 (0) **          - Shutdown on 19 December 2008 00:16:53 (GMT-0).
36431 14:23:35 (0) **          - Shutdown on 05 January 2009 12:23:01 (GMT-0).
36432 14:23:35 (0) **          - Shutdown on 05 January 2009 12:48:26 (GMT-0).
36473 14:23:35 (0) **          - Shutdown on 13 July 2011 14:31:48 (GMT+1).
36474 14:23:35 (0) **          - Shutdown on 26 September 2011 15:35:23 (GMT+1).
36475 14:23:35 (0) **          - Shutdown on 07 March 2012 18:01:50 (GMT-0)...."

Here you can see Disk Information,

"...
6477 14:23:35 (0) ** System drive: ................................................................C: (Disk #0 Partition #0).
36478 14:23:35 (0) ** Drive type: ...................................................SCSI (LSILOGIC Logical Volume SCSI Disk Device).
36479 14:23:35 (0) ** There are no missing WMI system files: ......................................OK.
36480 14:23:35 (0) ** There are no missing WMI repository files: ..................................OK.
36481 14:23:35 (0) ** WMI repository state: .......................................................CONSISTENT.
36482 14:23:35 (0) ** AFTER running WMIDiag:
36483 14:23:35 (0) ** The WMI repository has a size of: ...........................................27 MB.
36484 14:23:35 (0) ** - Disk free space on 'C:': ..................................................7896 MB.
36485 14:23:35 (0) **   - INDEX.BTR,                     2670592 bytes,      20-03-2012 12:56:19
36486 14:23:35 (0) **   - MAPPING.VER,                   4 bytes,            20-03-2012 14:18:40
36487 14:23:35 (0) **   - MAPPING1.MAP,                  14144 bytes,        20-03-2012 14:18:40
36488 14:23:35 (0) **   - MAPPING2.MAP,                  14144 bytes,        20-03-2012 14:18:33
36489 14:23:35 (0) **   - OBJECTS.DATA,                  25952256 bytes,     20-03-2012 14:18:33 ..."

here you can see information about services and DCOM.

"...
36490 14:23:35 (0) ** ---------------------------------------------------------------------------------------------------
36491 14:23:35 (2) !! WARNING: Windows Firewall Service: .................................................... STOPPED.
36492 14:23:35 (0) ** ----------------------------------------------------------------------------------------------
36493 14:23:35 (0) ** DCOM Status: ............................................................................. OK.
36494 14:23:35 (0) ** WMI registry setup: ...................................................................... OK.
36495 14:23:35 (0) ** INFO: WMI service has dependents: ......................................................... 1 SERVICE(S)!
36496 14:23:35 (0) ** - Windows Firewall/Internet Connection Sharing (ICS) (SHAREDACCESS, StartMode='Disabled')
36497 14:23:35 (0) ** => If the WMI service is stopped, the listed service(s) will have to be stopped as well.
36498 14:23:35 (0) **    Note: If the service is marked with (*), it means that the service/application uses WMI but
36499 14:23:35 (0) **          there is no hard dependency on WMI. However, if the WMI service is stopped,
36500 14:23:35 (0) **          this can prevent the service/application to work as expected.
36501 14:23:35 (0) **
36502 14:23:35 (0) ** RPCSS service: .................................................................................... OK (Already started).
36503 14:23:35 (0) ** WINMGMT service: .................................................................................. OK (Already started).
36504 14:23:35 (0) ** ------------------------------------------------------------------------------------------------------------------
36505 14:23:35 (0) ** WMI service DCOM setup: ............................................................................ OK.
36506 14:23:35 (0) ** WMI components DCOM registrations: ................................................................ OK.
36507 14:23:35 (0) ** WMI ProgID registrations: ....................................................................... OK.
36508 14:23:35 (0) ** WMI provider DCOM registrations: .................................................................... OK.
36509 14:23:35 (0) ** WMI provider CIM registrations: ..................................................................... OK.
36510 14:23:35 (0) ** WMI provider CLSIDs: ................................................................................. OK.
36511 14:23:35 (0) ** WMI providers EXE/DLL availability: .................................................................. OK.
36512 14:23:35 (0) ** --------------------------------------------------------------------------------------------------------
36513 14:23:35 (0) ** Overall DCOM security status: ........................................................................ OK.
36514 14:23:35 (0) ** Overall WMI security status: ........................................................................... OK.
36515 14:23:35 (0) ** - Started at 'Root' -----------------------------------------------------------------------------------------
36516 14:23:35 (0) ** INFO: WMI permanent SUBSCRIPTION(S): ..................................................................... 54....."

You have to read an check the report to see what can be useful to you environment and check the error messages like the next one.

In this case you just have to follow the instructions.

After reading this file you should open the Extended report where you will find all the information and all the analysis. The first part is the location of the files related with the report.

Reading information in the file (37000 lines) take a while, but we can find some interesting information that should be improved in your system like the next examples i will show here, and for each one should be

"....
..127 14:17:12 (0) ** Verifying MOF files in WBEM folder.
..128 14:17:12 (2) !! WARNING: 'C:\WINDOWS\SYSTEM32\WBEM\DNSETW.MOF' does exist but it is NOT LISTED in the 'Autorecover MOFs' registry key.
..129 14:17:12 (3)    'C:\WINDOWS\SYSTEM32\WBEM\NCPROV.MFL' does exist and is NOT LISTED BY DEFAULT in the 'Autorecover MOFs' registry key.
..130 14:17:12 (3)    'C:\WINDOWS\SYSTEM32\WBEM\NCPROV.MOF' does exist and is NOT LISTED BY DEFAULT in the 'Autorecover MOFs' registry key.
..131 14:17:12 (2) !! WARNING: 'C:\WINDOWS\SYSTEM32\WBEM\POLBASE.MOF' does exist but it is NOT LISTED in the 'Autorecover MOFs' registry key.
..132 14:17:12 (2) !! WARNING: 'C:\WINDOWS\SYSTEM32\WBEM\POLPRO.MOF' does exist but it is NOT LISTED in the 'Autorecover MOFs' registry key.
..133 14:17:12 (2) !! WARNING: 'C:\WINDOWS\SYSTEM32\WBEM\POLPROC.MOF' does exist but it is NOT LISTED in the 'Autorecover MOFs' registry key.
..134 14:17:12 (2) !! WARNING: 'C:\WINDOWS\SYSTEM32\WBEM\POLPROCL.MFL' does exist but it is NOT LISTED in the 'Autorecover MOFs' registry key.
..135 14:17:12 (2) !! WARNING: 'C:\WINDOWS\SYSTEM32\WBEM\POLPROU.MOF' does exist but it is NOT LISTED in the 'Autorecover MOFs' registry key.
..136 14:17:13 (3)    'C:\WINDOWS\SYSTEM32\WBEM\SCRCONS.MFL' does exist and is NOT LISTED BY DEFAULT in the 'Autorecover ....."

Another example that shows that rights was given to an user that was deleted and for shore this should be corrected.

".....829 14:17:22 (3)    Verifying default trustee in ACEs against the actual trustees in ACEs to locate default trustee removals.
..830 14:17:22 (3)    
..831 14:17:22 (3)    Deciphering DCOM security for 'My Computer' (Launch & Activation Permissions/Edit Default)
..832 14:17:22 (4)      Reading registry (REG_BINARY) 'HKLM\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission'.
..833 14:17:22 (4)      +- Security Descriptor ----------------------------------------------------------------
..834 14:17:22 (4)      | Owner: ................................. S-1-5-21-528768928-1231760990-50533070-500
..835 14:17:22 (4)      | Group: ................................. S-1-5-21-528768928-1231760990-50533070-500
..836 14:17:22 (4)      | Revision: .............................. 1
..837 14:17:22 (4)      | Control: ............................... &h8004
..838 14:17:22 (4)                                                 SE_DACL_PRESENT
..839 14:17:22 (4)                                                 SE_SELF_RELATIVE
..840 14:17:22 (4)      |+- DiscretionaryAcl ---------------------------------------------------------------------
..841 14:17:22 (4)      ||+- ACE #01 ------------------------------------------------------------------------------..."

As I said before this is an extended report and there many useful information that could be used to improve and correct minor issues in your system.

This post is not finished and I will try to improve it.

Once again I hope this information could help you.

Advertisements

About rodvars
Been working in IT Services/Consulting for the past 15 years. My main areas of work are planning, development, managing and administration System infrastructures focusing on optimizing user processes, enforcing business security, performance enhancements, high availabilty and infrastucture scalability.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: