I found myself in a situation recently where a Windows Server 2012 R2 instance suddenly began suffering from high CPU utilisation. Briefly watching process CPU usage in Task Manager showed the Windows Management Instrumentation (WMI) service to be the culprit.
I ended up down a rabbit hole and will include some of the debugging steps I followed and results found.
Verified WMI works correctly locally using
Verified WMI can connect remotely with
wbemtest using a monitoring service account
winmgmt /verifyrepository to verify WMI repository is not corrupt
C:\Windows\System32\wbem\Repository\objects.data file is not excessively large
Ran queries with
wbemtest. All queries to Win32_PerfRawData, Win32_PerfFormattedData and Win32_Perf failed but other queries ran successfully.
Verified no Windows Updates with WMI fixes were available.
Reviewed Event Viewer and could see ~1400 events within a 5 hour period similar to those described in this Microsoft kb https://support.microsoft.com/en-us/help/3124914/wmi-activity-event-5858-logged-frequently-with-resultcode-0x80041032
Re-registered all DLLs and recompiled .mofs in wbem folder.
Re-registered WMI Service and provider.
At this point all roads were leading to WMI database corruption that was being missed by winmgmt but I didn’t want to force a rebuild without hard evidence. Finally, I opened perfmon.msc and was greeted with the following-
Unable to add these counters:
\Memory\% Committed Bytes In Use
\PhysicalDisk(*)\Avg. Disk Queue Length
\Network Interface(*)\Bytes Total/sec
One short command to rebuild performance counters-
This can be verified with-