The system event log is bloated with WMI Performance Adapter messages

Problem

A couple of times each minute, the WMI Performance Adapter Service is started and stopped, resulting in an informational message in the system event log (event 7036 from System Control Manager to be exact). This not only fills the log, but also causes pressure on the system due to the constant starting and stopping of the service. I have yet to see this issue on Win2008R2, but I have read reports from others: http://serverfault.com/questions/108829/why-is-my-system-event-log-full-of-wmi-performance-adapter-messages. Most of my Win 2012 servers exhibit the issue, but for some reason my 2008R2 servers have been spared.

image

Analysis

The root cause of this is usually SCOM, Splunk or similar agents who are collecting performance data from the server. The issue is not a problem per se, it is just a result of the fact that the monitoring agents are running a WMI query now and then. The problem is with log readability, it can mask other errors and let them slide out of the event log “window”, that is the amount of data the event log is allowed to contain at any point in time. I had a 20MiB max log size on one server, and it was only able to hold log data for about four days.

image

Solution

The solution is quite simple, you just have to set the startup type for the WMI Performance Adapter Service to Automatic:

image

Thus, you ensure that the service is kept running instead of restarting every 5 seconds. I have yet to see any adverse effects of this so far, but all the servers I have tested this on are physical database servers with tons of resources. The Wmi Performance Adapter service (wmiapsrv.exe) is only using about 7MB of ram on my servers. The Wmi provider host, that is also heavily utilized by SCOM/SPLUNK, is much more of a resource hog:

image

Print This Post Print This Post

Tags: , ,

  1. asdfsdf.com’s avatar

    Thank you- I was able to make sense of why I am getting so many event ID 7036. The SCOM was doing it.

    Reply

  2. Andre’s avatar

    SCOM you devil, but we love you, thanks for the great read keep up the good work.

    Reply

  3. Jay J Aquina’s avatar

    Old thread but I don’t have a good experience leaving the service startup on automatic. In a week or so the service will be consuming more then 100Mb of memory, on both W2K8R2 and W2K12R2. It has for sure a memory leak that was never fixed.

    Reply

    1. DizzyBadger’s avatar

      Does it continue to grow? I have observed different memory consumption values, but they have always been relatively stable. That being said, WMI in general is an “interesting” part of Windows, always shelling out new challenges.
      You could of course add a scheduled task to restart the service weekly to reduce the impact, or live with the event log messages.

      Reply

Leave a Reply

%d bloggers like this: