0

I have a memory leak in the WMI service on a server that hosts an application whose clients are dependent on WMI for real-time updates of what's happening in the application. As the memory consumed by the WMI service increases, eventually the service becomes unresponsive and has to be restarted. I'm trying to develop a script that will automate this, but I've encountered the following problems:

  • The WMI service cannot be directly stopped from the Services panel, nor using command-line utilities.
  • I can use tasklist to identify the system process that hosts the WMI service, but tasklist is itself dependent upon WMI, and fails if WMI is unresponsive. Likewise taskkill to kill the offending process.

It appears that SC.EXE is not dependent on WMI, so I can use this to find the process ID, but it would require some trickery to parse that out of what SC.EXE returns, and once I do so, how do I kill that process without using taskkill?

Jay Boal
  • 1
  • 1
  • Tasklist and taskkill are not dependent on WMI in any way. Why can not you fix the original code which is causing memory leak? – Amit Shakya Jun 17 '16 at 20:13
  • My experience with this issue is what tells me that tasklist and taskkill are dependent on WMI. If the WMI service is unresponsive or not running, neither tasklist or taskkill work, either in my script or manually in the shell. As to fixing the original code, it's not my code. I have reported the issue to the application vendor but it seems that none of their other customers have reported this issue. We'll probably end up rebuilding the environment but in the meantime I have to manage this issue, hence the need for the script. – Jay Boal Jun 20 '16 at 14:43
  • Because of memory leak your completely environment is getting unresponsive. You can try killing the process remotely, taskkill /s will help you there. – Amit Shakya Jun 20 '16 at 16:42
  • @AmitShakya Are you sure? When i stopped the WMI service and executed tasklist, the WMI service was restarted. When i stopped the service and renamed the system32\wbem folder, tasklist (and WMI service) didn't function anymore, until i restored the original folder name.The WMI service only restarted after issueing the tasklist command. WMI definetely affects/impacts tasklist. – script'n'code Aug 16 '18 at 12:05

1 Answers1

0

Script is batch. List of commands used below: set, for, reg, findstr, if, else, sc, waitfor. None of those commands require WMI.

Notice in the example output (straight off my W10 system) that the PID for WMI is different after the service has been restarted.

set "zServices2Stop="
set "zServices2Start="
for /f "tokens=*" %%A in ('reg query hklm\system\currentcontrolset\services /s /v DependOnService ^| findstr /i "hkey winmgmt"') do (
    set "zDbg=0"
    set "sTmp=%%A"
    if /i "!sTmp:~0,5!"=="HKEY_" (
        set "sTmpService=!sTmp:~53!"
    ) else (
        set "zServices2Stop=!zServices2Stop!,!sTmpService!"
        echo ;[i] Found Service With Dependancy To winmgmt Service {!sTmpService!}
    )
)
set "zServices2Stop=!zServices2Stop:~1!"
echo ;[i] List Of Dependancies: {!zServices2Stop!}
for /f "tokens=3" %%A in ('sc queryex winmgmt ^| findstr /i pid') do @echo ;[i] The PID for the "winmgmt" service before: {%%A}
for %%A in (!zServices2Stop!) do (
    sc queryex "%%A" 2>&1 | findstr /i running >nul && (
        set "zServices2Start=!zServices2Start!,%%A"
        echo ;[i] Stopping {%%A}&sc stop "%%A" >nul 2>&1
    ) || (
        echo ;[i] Ignoring Already Stopped Service {%%A}
    )
)
set "zServices2Start=!zServices2Start:~1!"
waitfor RAN%random%%random%%random%DOM /t 2 >nul 2>&1
echo ;[i] Stopping {winmgmt}&sc stop "winmgmt" >nul
waitfor RAN%random%%random%%random%DOM /t 2 >nul 2>&1
echo ;[i] Starting {winmgmt}&sc start "winmgmt" >nul
waitfor RAN%random%%random%%random%DOM /t 2 >nul 2>&1
for %%A in (!zServices2Start!) do (
    echo ;[i] Starting {%%A}&sc start "%%A" >nul
)
for /f "tokens=3" %%A in ('sc queryex winmgmt ^| findstr /i pid') do @echo ;[i] The PID for the "winmgmt" service after: {%%A}

Output Will Look Like:

;[i] Found Service With Dependancy To winmgmt Service {HgClientService}
;[i] Found Service With Dependancy To winmgmt Service {iphlpsvc}
;[i] Found Service With Dependancy To winmgmt Service {vmms}
;[i] List Of Dependancies: {HgClientService,iphlpsvc,vmms}
;[i] The PID for the "winmgmt" service before: {13124}
;[i] Ignoring Already Stopped Service {HgClientService}
;[i] Stopping {iphlpsvc}
;[i] Stopping {vmms}
;[i] Stopping {winmgmt}
;[i] Starting {winmgmt}
;[i] Starting {iphlpsvc}
;[i] Starting {vmms}
;[i] The PID for the "winmgmt" service after: {12980}
SecurityAndPrivacyGuru
  • 306
  • 1
  • 10