I've been investigating a peculiar issue where my Windows Server 2008 system logs are flooded with recurring entries about the WMI Performance Adapter service constantly starting and stopping. The pattern is consistent: service starts, runs for about 10 seconds, then stops, repeating every 2 minutes.
After digging through Microsoft documentation and various tech forums, I discovered this behavior typically occurs when:
- The system is configured for performance counter collection
- There's a mismatch in WMI repository permissions
- Legacy performance counter DLLs aren't properly registered
- A scheduled task or monitoring tool is polling performance data
Here's how I confirmed the root cause in my environment:
# Check for related scheduled tasks
schtasks /query /fo LIST | findstr /i "wmi"
# Verify WMI repository consistency
winmgmt /verifyrepository
# Check performance counter status
lodctr /qBased on my testing, these approaches resolved the issue:
Method 1: Rebuilding Performance Counters
# Stop WMI services first
net stop winmgmt /y
# Delete performance counter registry entries
cd %systemroot%\system32
lodctr /r
# Rebuild WMI repository
winmgmt /resetrepositoryMethod 2: Disabling Unnecessary Collection
For servers not requiring detailed performance monitoring:
sc config WmiApSrv start= disabled
net stop WmiApSrvMethod 3: Registry Modification
For systems that need the service but want to reduce logging:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv]
"Start"=dword:00000004After implementing any of these fixes, verify the changes with:
# Check service state
sc query WmiApSrv
# Monitor event logs
wevtutil qe System /q:"*[System[Provider[@Name='Service Control Manager']]]" /rd:true /f:textIn my case, Method 1 completely resolved the logging spam while maintaining all necessary WMI functionality. The service now only starts when actually needed by performance monitoring tools.
The WMI Performance Adapter service (wmiapsrv.exe) is responsible for providing performance counter information to WMI consumers. In Windows Server 2008, you might observe frequent log entries showing the service constantly starting and stopping:
Event ID: 7036
Source: Service Control Manager
Description: The WMI Performance Adapter service entered the running state.
Event ID: 7036
Source: Service Control Manager
Description: The WMI Performance Adapter service entered the stopped state.This cycling typically occurs due to:
- Performance counter corruption
- Conflicting monitoring applications
- Incomplete service configuration
- Permission issues with performance libraries
First, verify the service status pattern:
Get-WinEvent -LogName System | Where-Object {$_.Id -eq 7036 -and $_.Message -like "*WMI Performance Adapter*"} |
Select-Object TimeCreated,Message | Format-Table -AutoSizeCheck for corrupted performance counters:
lodctr /q | Out-File perf_counters_before.txt
# Compare with known good configuration
lodctr /r # Rebuild performance countersMethod 1: Disable the Service (If Not Needed)
sc config wmiApSrv start= disabled
net stop wmiApSrvMethod 2: Repair Performance Counters
# From elevated command prompt:
winmgmt /resyncperf
# Alternative approach:
unlodctr /m
lodctr /rMethod 3: Rebuild WMI Repository
net stop winmgmt
cd %windir%\system32\wbem
ren repository repository.old
net start winmgmt
mofcomp cimwin32.mofFor servers where you need to keep the service running but monitor its behavior:
$service = Get-WmiObject Win32_Service -Filter "Name='wmiApSrv'"
$query = "SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='wmiApSrv'"
Register-WmiEvent -Query $query -Action {
param($event)
$state = $event.TargetInstance.State
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
"$timestamp - Service changed to: $state" | Out-File "C:\logs\wmiApSrv_monitor.log" -Append
}If the issue persists, enable WMI tracing:
# Enable WMI logging in registry
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WBEM\CIMOM" -Name "Logging" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WBEM\CIMOM" -Name "Log File Max Size" -Value 5000000
# View logs in Event Viewer under:
# Applications and Services Logs > Microsoft > Windows > WMI-Activity