What is Wmiprvse.exe

WMI - Microsoft® Windows® Operating System - Microsoft Corporation

File description

Wmiprvse.exe with description WMI is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
The file is digitally signed from Microsoft Windows Component Publisher - Microsoft Timestamping Service
We do not recommend removing digitally signed files from Microsoft Windows Component Publisher

What is wmiprvse.exe?
Wmiprvse is the Windows Management Instrumentation Provider Host program. When a Windows Management Instrumentation (WMI) service is loaded, the providers are loaded separately into wmiprvse.exe. It therefore serves as a host to prevent termination of all WMI services when the provider terminates.

Essentially, it allows certain processes to run, including many system services. It is also used by applications that allow a manager to administer your system over an enterprise network. This process is not essential to the operation of the system; however, it is essential to the proper functioning of many system services. If it is not causing any problems, you should not terminate it. If you are a home user, and this process is causing problems, however, it is safe to terminate. The screenshot below illustrates how it should appear in the task manager:

Although in this screenshot wmiprvse.exe is running as NETWORK SERVICE, it can also run as SYSTEM or LOCAL SERVICE. A process with this name running as a different user may be indicative of a malware infection.

Dangers of wmiprvse
As this is the name of a legitimate system process, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.

Some malicious files will have the same name but will be stored somewhere other than in %SystemRoot%\System32\Wbem. Other malware will use a name that appears similar to that of the legitimate one but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as wmiprvse.exe:
  • W32/Sonebot-B (%SystemRoot%\System32)
    • This is a backdoor trojan that includes an IRC bot that allows an attacker to issue remote commands. An indication of infection is a "Kernel_check = wmiprvse.exe" entry in the registry keys HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices.
  • W32/SillyFDC-AW (%SystemRoot%)
    • This worm spreads via removable drives (e.g., USB flash drives and external hard drives) by creating an autorun.inf file to automatically infect a system upon connecting the device.
  • W32/Sasser (wmiprvsw.exe)
There will sometimes be several copies of this process running at a given time for any of the three aforementioned users. The presence of multiple instances is not a cause for concern; however, if it is running under a user that is not one of the above three, it is possible that it is malicious.

Common problems
  • This process uses 100% of the CPU
    • Ensure that your wmiprvse.exe is in %SystemRoot%\System32\Wbem, not %SystemRoot%\System32 or %SystemRoot%.
    • If it is the real wmiprvse.exe that is using 100% CPU time, the problem can be caused by a corrupt Windows Update log. Try disabling automatic updates and then perform a manual Windows Update. If it succeeds, reenable automatic updates
    • Download and install the KB894391 hotfix from Microsoft's website.
    • Try disabling unnecessary applications and services to see if the problem goes away. 100% CPU usage by wmiprvse.exe is usually caused by a separate service.
    • If the above does not work, try uninstalling updates (starting with the most recent) until the problem goes away.
  • This process uses an excessive amount of memory in Windows XP Service Pack 2
    • This is a known issue, for which there is a hotfix available from KB925623 on Microsoft's site.

Automatic startup locations

001 Running Processes
003 Autorun registry entries Current User
010 Installed services
034 Winlogon Shell
038 Winlogon Taskman

Digital signatures found for this file

56 Microsoft Windows Component Publisher - Microsoft Timestamping Service
48 Microsoft Windows - Microsoft Time-Stamp Service
35 Microsoft Windows Publisher - VeriSign Time Stamping Services Signer
12 Microsoft Windows XP Publisher - VeriSign Time Stamping Service
8 Microsoft Windows Component Publisher - Microsoft Time-Stamp Service
7 Microsoft Windows Publisher - VeriSign Time Stamping Service
6 Microsoft Windows XP Publisher (Europe) - VeriSign Time Stamping Service
5 Microsoft Windows - Microsoft Timestamping Service
3 Microsoft Windows - VeriSign Time Stamping Services Signer
2 Microsoft Windows Component Publisher - VeriSign Time Stamping Services Signer

MD5 security rating in our database

318 files (Not yet rated and not signed)
7 files (Not yet rated and digitally signed)
7 files (Safe and not signed)
196 files (Safe and digitally signed)
Some versions of this filename have not yet been checked for safety.
Warning: Some malware might rename itself to wmiprvse.exe. Always make sure that your file is from a verified publisher.

User ratings for this file

File rating: Average rating of wmiprvse.exe: by 528 files and users.

Application errors

Fix wmiprvse.exe application error:  Run a FREE registry scan

User comments

I used msconfig and diabeled two HP programs in the startup area and the over use of the CPU by wmiprvse.exe stopped.
I am using Windows 7 64-bit OS SP1. once I disable "NetSwitch" from Service the CPU usage dropped from 80% to 10~% instantly.

how to get to 'Service"

1- Click Start menu.
2- Right click on "Computer" and click Manage.
3- Click on "Services and Applications" (last one on the left hand side)
4- Double click on Services
5- Open the second "sheet" called Standard.
6- Click on names for Alphabets order
7- Find "NetSwitch" and double click on it.
8- Click on "Stop"
9- Once you stop the service and on the same window open "Startup Type" from the drop down arrow and click disable.
10- Problem solved in my case and I've been used my computer for the past few days without any problem Good luck!

Please add your comments if you have more information about this file or if you know how to solve wmiprvse.exe application errors.

File safety :

File security rating :

Are you human? How much is 18+24:

Like this page?

Please support this free service by giving us a Google+1

Browse files by letter


More system processes

wmipst.exe WMIServer.exe WMISVC.DLL
WmiSvc.sys wmiwdog.exe wmkcheck.sys
wmkeycu.exe wmkilldrv.sys wmkue.exe
wmlaunch.exe wmlbrwsr.exe wmldap.dll

Lansweeper computer inventory From the creator of Runscanner:

is an automated IT asset management tool. It can quickly scan your computers and has over 250 default reports available.

There is no need to install any agents on the scanned computers, all hardware and software inventory scanning is done by standard build-in functionality.