File description |
Wmiprvse.exe with description WMI is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
The file is
digitally signed from Microsoft Windows - Microsoft Time-Stamp Service
We do not recommend removing digitally signed files from Microsoft Windows
What is wmiprvse.exe?
Wmiprvse is the Windows Management Instrumentation Provider Host program. When a Windows Management Instrumentation (WMI) service is loaded, the providers are loaded separately into wmiprvse.exe. It therefore serves as a host to prevent termination of all WMI services when the provider terminates.
Essentially, it allows certain processes to run, including many system services. It is also used by applications that allow a manager to administer your system over an enterprise network. This process is not essential to the operation of the system; however, it is essential to the proper functioning of many system services. If it is not causing any problems, you should not terminate it. If you are a home user, and this process is causing problems, however, it is safe to terminate. The screenshot below illustrates how it should appear in the task manager:
Although in this screenshot wmiprvse.exe is running as NETWORK SERVICE, it can also run as SYSTEM or LOCAL SERVICE. A process with this name running as a different user may be indicative of a malware infection.
Dangers of wmiprvse
As this is the name of a legitimate system process, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.
Some malicious files will have the same name but will be stored somewhere other than in %SystemRoot%\System32\Wbem. Other malware will use a name that appears similar to that of the legitimate one but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as wmiprvse.exe:
- W32/Sonebot-B (%SystemRoot%\System32)
- This is a backdoor trojan that includes an IRC bot that allows an attacker to issue remote commands. An indication of infection is a "Kernel_check = wmiprvse.exe" entry in the registry keys HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices.
- W32/SillyFDC-AW (%SystemRoot%)
- This worm spreads via removable drives (e.g., USB flash drives and external hard drives) by creating an autorun.inf file to automatically infect a system upon connecting the device.
- W32/Sasser (wmiprvsw.exe)
There will sometimes be several copies of this process running at a given time for any of the three aforementioned users. The presence of multiple instances is not a cause for concern; however, if it is running under a user that is not one of the above three, it is possible that it is malicious.
Common problems
- This process uses 100% of the CPU
- Ensure that your wmiprvse.exe is in %SystemRoot%\System32\Wbem, not %SystemRoot%\System32 or %SystemRoot%.
- If it is the real wmiprvse.exe that is using 100% CPU time, the problem can be caused by a corrupt Windows Update log. Try disabling automatic updates and then perform a manual Windows Update. If it succeeds, reenable automatic updates
- Download and install the KB894391 hotfix from Microsoft's website.
- Try disabling unnecessary applications and services to see if the problem goes away. 100% CPU usage by wmiprvse.exe is usually caused by a separate service.
- If the above does not work, try uninstalling updates (starting with the most recent) until the problem goes away.
- This process uses an excessive amount of memory in Windows XP Service Pack 2
- This is a known issue, for which there is a hotfix available from KB925623 on Microsoft's site.
|
Automatic startup locations |
 |
001 Running Processes |
 |
003 Autorun registry entries Current User |
 |
010 Installed services |
 |
034 Winlogon Shell |
|
038 Winlogon Taskman |
|
Digital signatures found for this file |
| |
Signer of certificate |
Issuer of certificate |
 |
Microsoft Windows |
Microsoft Time-Stamp Service |
|
Microsoft Windows |
Microsoft Timestamping Service |
|
Microsoft Windows |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows Component Publisher |
Microsoft Time-Stamp Service |
|
Microsoft Windows Component Publisher |
Microsoft Timestamping Service |
|
Microsoft Windows Component Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows XP Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows XP Publisher (Europe) |
VeriSign Time Stamping Service |
|
|
MD5 security rating in our database |
 |
 |
|
143 |
files (Not yet rated
and
not
signed) |
|
|
3 |
files (Not yet rated
and
digitally
signed) |
 |
|
5 |
files (Safe
and
not
signed) |
|
|
181 |
files (Safe
and
digitally
signed) |
|
|
|
Some versions of this filename have not yet been checked for safety.
|
| Warning: Some malware might rename itself to wmiprvse.exe. Always make sure that your file is from a verified publisher. |
|
Application errors |
|
| User comments. |
 |
I used msconfig and diabeled two HP programs in the startup area and the over use of the CPU by wmiprvse.exe stopped. |
|
|
Database statistics
Top process list
