Link to home
Start Free TrialLog in
Avatar of AusRick
AusRickFlag for Australia

asked on

Faulting applications wmiprvse.exe & exwmi.dll on SBS2003 R2

Hi Experts,

I'm having trouble with multiple instances of 2 errors in my application log on SBS 2003 R2 Premium server with service pack 2 and WSUS 3, all updates recently applied.

The faulting applications appear to be wmiprvse.exe and exwmi.dll.

I've searched EE and found articles that describe similar problems, however these are 3+ years old.

I'll list full error texts below and add systeminfo and ipconfig details to kick things off.

Old topics on EE:
https://www.experts-exchange.com/questions/22605666/Windows-SBS-2003-R2-w-SP2-experiencing-WMI-errors.html
https://www.experts-exchange.com/questions/22070592/Various-problems-on-an-SBS-2003-server.html

Some Microsoft pages:
http://support.microsoft.com/kb/914831/en-us
http://support.microsoft.com/kb/555912
http://support.microsoft.com/kb/897342

My sysinfo says that original install was Feb 2006. I'm can't remember clearly, but I recall ordering a fresh disk set for R2 that may have contained service pack1???

I'm not certain that my errors relate to mistakes that I've made with service pack installations, but that seems to be a common thread amongst other pages I've read.

I've got time to spend on this and would be grateful for any assistance from more experienced minds. I'm happy to dig up additonal info as required. Thanks in advance :)

Specific details from my computer below....
Avatar of AusRick
AusRick
Flag of Australia image

ASKER

***ERROR A***
Over 8,400 instances of this exact error in my current log:

Event Type:      Error
Event Source:      Application Error
Event Category:      (100)
Event ID:      1000
Date:            20/05/2010
Time:            5:03:09 PM
User:            N/A
Computer:      SERVER
Description:
Faulting application wmiprvse.exe, version 5.2.3790.4455, faulting module ntdll.dll, version 5.2.3790.4455, fault address 0x0001a379.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 77 6d 69   ure  wmi
0018: 70 72 76 73 65 2e 65 78   prvse.ex
0020: 65 20 35 2e 32 2e 33 37   e 5.2.37
0028: 39 30 2e 34 34 35 35 20   90.4455
0030: 69 6e 20 6e 74 64 6c 6c   in ntdll
0038: 2e 64 6c 6c 20 35 2e 32   .dll 5.2
0040: 2e 33 37 39 30 2e 34 34   .3790.44
0048: 35 35 20 61 74 20 6f 66   55 at of
0050: 66 73 65 74 20 30 30 30   fset 000
0058: 31 61 33 37 39            1a379
Avatar of AusRick

ASKER

***ERROR B***
Over 2,300 instances of this exact error in my current log:

Event Type:      Error
Event Source:      Microsoft Exchange Server
Event Category:      None
Event ID:      1000
Date:            20/05/2010
Time:            5:03:04 PM
User:            N/A
Computer:      SERVER
Description:
Faulting application exwmi.dll, version 6.5.7638.1, stamp 430e7361, faulting module ntdll.dll, version 5.2.3790.4455, stamp 49900d60, debug? 0, fault address 0x0001a379.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 00 70 00 70 00 6c 00   A.p.p.l.
0008: 69 00 63 00 61 00 74 00   i.c.a.t.
0010: 69 00 6f 00 6e 00 20 00   i.o.n. .
0018: 46 00 61 00 69 00 6c 00   F.a.i.l.
0020: 75 00 72 00 65 00 20 00   u.r.e. .
0028: 20 00 65 00 78 00 77 00    .e.x.w.
0030: 6d 00 69 00 2e 00 64 00   m.i...d.
0038: 6c 00 6c 00 20 00 36 00   l.l. .6.
0040: 2e 00 35 00 2e 00 37 00   ..5...7.
0048: 36 00 33 00 38 00 2e 00   6.3.8...
0050: 31 00 20 00 34 00 33 00   1. .4.3.
0058: 30 00 65 00 37 00 33 00   0.e.7.3.
0060: 36 00 31 00 20 00 69 00   6.1. .i.
0068: 6e 00 20 00 6e 00 74 00   n. .n.t.
0070: 64 00 6c 00 6c 00 2e 00   d.l.l...
0078: 64 00 6c 00 6c 00 20 00   d.l.l. .
0080: 35 00 2e 00 32 00 2e 00   5...2...
0088: 33 00 37 00 39 00 30 00   3.7.9.0.
0090: 2e 00 34 00 34 00 35 00   ..4.4.5.
0098: 35 00 20 00 34 00 39 00   5. .4.9.
00a0: 39 00 30 00 30 00 64 00   9.0.0.d.
00a8: 36 00 30 00 20 00 66 00   6.0. .f.
00b0: 44 00 65 00 62 00 75 00   D.e.b.u.
00b8: 67 00 20 00 30 00 20 00   g. .0. .
00c0: 61 00 74 00 20 00 6f 00   a.t. .o.
00c8: 66 00 66 00 73 00 65 00   f.f.s.e.
00d0: 74 00 20 00 30 00 30 00   t. .0.0.
00d8: 30 00 31 00 61 00 33 00   0.1.a.3.
00e0: 37 00 39 00 0d 00 0a 00   7.9.....
Avatar of AusRick

ASKER

2010 May 20
***IPCONGIG***

Windows IP Configuration

   Host Name . . . . . . . . . . . . : server
   Primary Dns Suffix  . . . . . . . : {removed}.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : {removed}.local

Ethernet adapter SERVER LAN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-C0-9F-38-14-5F
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   Primary WINS Server . . . . . . . : 192.168.16.2

Ethernet adapter INTERNET:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
   Physical Address. . . . . . . . . : 00-0E-0C-35-57-C8
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.0.0.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.138
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   NetBIOS over Tcpip. . . . . . . . : Disabled
Avatar of AusRick

ASKER

2010 May 20
**SYSTEMINFO***

Host Name:                 SERVER
OS Name:                   Microsoft(R) Windows(R) Server 2003 for Small Busines
s Server
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          {removed}
Registered Organization:   {removed}
Product ID:                74995-066-7981584-42048
Original Install Date:     13/02/2006, 4:42:27 PM
System Up Time:            1 Days, 0 Hours, 56 Minutes, 13 Seconds
System Manufacturer:       Dell Computer Corporation
System Model:              PowerEdge 1600SC
System Type:               X86-based PC
Processor(s):              4 Processor(s) Installed.
                           [01]: x86 Family 15 Model 2 Stepping 5 GenuineIntel ~
3189 Mhz
                           [02]: x86 Family 15 Model 2 Stepping 5 GenuineIntel ~
3189 Mhz
                           [03]: x86 Family 15 Model 2 Stepping 5 GenuineIntel ~
3189 Mhz
                           [04]: x86 Family 15 Model 2 Stepping 5 GenuineIntel ~
3189 Mhz
BIOS Version:              DELL   - 1
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+10:00) Canberra, Melbourne, Sydney
Total Physical Memory:     4,031 MB
Available Physical Memory: 329 MB
Page File: Max Size:       5,923 MB
Page File: Available:      1,190 MB
Page File: In Use:         4,733 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    {removed}.local
Logon Server:              \\SERVER
Hotfix(s):                 353 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: File 1
                           [03]: File 1
                           [04]: File 1
                           [05]: File 1
                           [06]: File 1
                           [07]: File 1
                           [08]: File 1
                           [09]: File 1
                           [10]: File 1
                           [11]: File 1
                           [12]: File 1
                           [13]: File 1
                           [14]: File 1
                           [15]: File 1
                           [16]: File 1
                           [17]: File 1
                           [18]: File 1
                           [19]: File 1
                           [20]: File 1
                           [21]: File 1
                           [22]: File 1
                           [23]: File 1
                           [24]: File 1
                           [25]: File 1
                           [26]: File 1
                           [27]: File 1
                           [28]: File 1
                           [29]: File 1
                           [30]: File 1
                           [31]: File 1
                           [32]: File 1
                           [33]: File 1
                           [34]: File 1
                           [35]: File 1
                           [36]: File 1
                           [37]: File 1
                           [38]: File 1
                           [39]: File 1
                           [40]: File 1
                           [41]: File 1
                           [42]: File 1
                           [43]: File 1
                           [44]: File 1
                           [45]: File 1
                           [46]: File 1
                           [47]: File 1
                           [48]: File 1
                           [49]: File 1
                           [50]: File 1
                           [51]: File 1
                           [52]: File 1
                           [53]: File 1
                           [54]: File 1
                           [55]: File 1
                           [56]: File 1
                           [57]: File 1
                           [58]: File 1
                           [59]: File 1
                           [60]: File 1
                           [61]: File 1
                           [62]: File 1
                           [63]: File 1
                           [64]: File 1
                           [65]: File 1
                           [66]: File 1
                           [67]: File 1
                           [68]: File 1
                           [69]: File 1
                           [70]: File 1
                           [71]: File 1
                           [72]: File 1
                           [73]: File 1
                           [74]: File 1
                           [75]: File 1
                           [76]: File 1
                           [77]: File 1
                           [78]: File 1
                           [79]: File 1
                           [80]: File 1
                           [81]: File 1
                           [82]: File 1
                           [83]: File 1
                           [84]: File 1
                           [85]: File 1
                           [86]: File 1
                           [87]: File 1
                           [88]: File 1
                           [89]: File 1
                           [90]: File 1
                           [91]: File 1
                           [92]: File 1
                           [93]: File 1
                           [94]: File 1
                           [95]: File 1
                           [96]: File 1
                           [97]: File 1
                           [98]: File 1
                           [99]: File 1
                           [100]: File 1
                           [101]: File 1
                           [102]: File 1
                           [103]: File 1
                           [104]: File 1
                           [105]: File 1
                           [106]: File 1
                           [107]: File 1
                           [108]: File 1
                           [109]: File 1
                           [110]: File 1
                           [111]: File 1
                           [112]: File 1
                           [113]: File 1
                           [114]: File 1
                           [115]: File 1
                           [116]: File 1
                           [117]: File 1
                           [118]: File 1
                           [119]: File 1
                           [120]: File 1
                           [121]: File 1
                           [122]: File 1
                           [123]: File 1
                           [124]: File 1
                           [125]: File 1
                           [126]: File 1
                           [127]: File 1
                           [128]: File 1
                           [129]: File 1
                           [130]: File 1
                           [131]: File 1
                           [132]: File 1
                           [133]: File 1
                           [134]: File 1
                           [135]: File 1
                           [136]: File 1
                           [137]: File 1
                           [138]: File 1
                           [139]: File 1
                           [140]: File 1
                           [141]: File 1
                           [142]: File 1
                           [143]: File 1
                           [144]: File 1
                           [145]: File 1
                           [146]: File 1
                           [147]: File 1
                           [148]: File 1
                           [149]: File 1
                           [150]: File 1
                           [151]: File 1
                           [152]: File 1
                           [153]: File 1
                           [154]: File 1
                           [155]: File 1
                           [156]: File 1
                           [157]: File 1
                           [158]: File 1
                           [159]: File 1
                           [160]: File 1
                           [161]: File 1
                           [162]: File 1
                           [163]: File 1
                           [164]: Q147222
                           [165]: KB933854 - QFE
                           [166]: KB953298 - QFE
                           [167]: SP1 - SP
                           [168]: KB907747 - Update
                           [169]: KB911829 - Update
                           [170]: KB912442 - Update
                           [171]: KB916803 - Update
                           [172]: KB924334 - Update
                           [173]: KB926666 - Update
                           [174]: KB931832 - Update
                           [175]: KB950159 - Update
                           [176]: KB950757 - Update
                           [177]: KB959897 - Update
                           [178]: KB976702 - Update
                           [179]: KB968930 - Update
                           [180]: KB917283 - Update
                           [181]: KB922770 - Update
                           [182]: KB928365 - Update
                           [183]: Q927978
                           [184]: Q936181
                           [185]: Q954430
                           [186]: Q973688
                           [187]: IDNMitigationAPIs - Update
                           [188]: NLSDownlevelMapping - Update
                           [189]: KB925398_WMP64
                           [190]: KB929969 - Update
                           [191]: KB931768-IE7 - Update
                           [192]: KB933566-IE7 - Update
                           [193]: KB938127-IE7 - Update
                           [194]: KB939653-IE7 - Update
                           [195]: KB942615-IE7 - Update
                           [196]: KB947864-IE7 - Update
                           [197]: KB950759-IE7 - Update
                           [198]: KB953838-IE7 - Update
                           [199]: KB963027-IE7 - Update
                           [200]: KB969897-IE7 - Update
                           [201]: KB971961-IE8 - Update
                           [202]: KB976325-IE7 - Update
                           [203]: KB976662-IE8 - Update
                           [204]: KB980182-IE8 - Update
                           [205]: KB980302-IE8 - Update
                           [206]: KB981332-IE8 - Update
                           [207]: KB971513 - Update
                           [208]: KB914961 - Service Pack
                           [209]: KB926139-v2
                           [210]: KB926141
                           [211]: KB921503 - Update
                           [212]: KB923561 - Update
                           [213]: KB925876 - Update
                           [214]: KB925902 - Update
                           [215]: KB926122 - Update
                           [216]: KB927891 - Update
                           [217]: KB929123 - Update
                           [218]: KB930178 - Update
                           [219]: KB931784 - Update
                           [220]: KB931836 - Update
                           [221]: KB932168 - Update
                           [222]: KB933360 - Update
                           [223]: KB933729 - Update
                           [224]: KB933854 - Update
                           [225]: KB935839 - Update
                           [226]: KB935840 - Update
                           [227]: KB935966 - Update
                           [228]: KB936021 - Update
                           [229]: KB936357 - Update
                           [230]: KB936594 - Update
                           [231]: KB936782 - Update
                           [232]: KB937231 - Update
                           [233]: KB938464 - Update
                           [234]: KB938759-v4 - Update
                           [235]: KB941202 - Update
                           [236]: KB941568 - Update
                           [237]: KB941569 - Update
                           [238]: KB941644 - Update
                           [2
Network Card(s):           2 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: SERVER LAN
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.16.2
                           [02]: Intel(R) PRO/1000 MT Server Adapter
                                 Connection Name: INTERNET
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.0.0.1
Avatar of Cris Hanna
www.sbsbpa.com  (SBS Best Practices Advisor)
Avatar of AusRick

ASKER

Hi Chris, thanks for reminding me about the SBS BPA. I have it already on my server. I updated it and ran a scan. It didn't seem to identify anything too problematic, but I will address each of the items mentioned in the report and run the scan again.

The warnings from the SBS BPA scan just completed are:

1.Warning Allocated Memory alert threshold  
The threshold for the Allocated Memory alert is set to the default value. However the server has more than 2 GB of RAM installed.

2. Warning Change the functional level of Exchange Server 2003
The functional level of your Exchange Server 2003 organization is: Mixed Mode (can support pre-Exchange 2000 servers).   This must be changed to native mode before attempting to migrate to Windows Small Business Server 2008. Go to Start/All Programs/Microsoft Exchange/System Manager then right click on the organization and select Properties

3. Warning Network interface driver file is more than one year old
Network Card Driver: E1000 Last Modifed Date: 20071107192758.000000+660

4. Warning Network interface driver file is more than one year old  
Network Card Driver: E1000 Last Modifed Date: 20071107192758.000000+660

5. Warning The Site Replication Service is started  
The Microsoft Exchange Site Replication Service is started on this server. By default, the Startup Type for this service is set to disabled.

6. Warning Windows Server Update Services v3 is at RTM
Windows Server Update Services v3 is at RTM and Service Pack 1 is available.
(This one is strange because I just installed WSUS v3 sp2, but I will look into it)

Once I address each of these items, I'll run a fresh BPA scan and report back.
Obviously, I'll also see if it stops the thousands of application errors in my logs! ;)
Avatar of AusRick

ASKER

I've run both SBS and Exchange BPAs (several times) and checked all warnings.

The SBS BPA shows three warnings, 2 for NIC drivers and 1 for WSUS.

The drivers I have are the latest available from Intel, however they are +1 year old.
I am running WSUS3sp2 and I have previously installed sp1.

I'm satisfied that these things are not related to my current error message troubles :)

I've found a pattern for the repeating cycle of errors and I'll list those details below....
Avatar of AusRick

ASKER

I have no idea if my errors are related, but I've been studying the application log to try and establish a pattern .......

This one is the most prevelant and seems to trigger every 10 seconds:
- - - - - - - - - - - - - - - - - - - - - - - -
Event Type:    Error
Event Source:    Application Error
Event Category:    (100)
Event ID:    1000
Date:        21/05/2010
Time:        6:47:59 PM
User:        N/A
Computer:    SERVER
Description:
Faulting application wmiprvse.exe, version 5.2.3790.4455, faulting module ntdll.dll, version 5.2.3790.4455, fault address 0x0001a379.
- - - - - - - - - - - - - - - - - - - - - - - -

And this one triggers every 40 seconds:
- - - - - - - - - - - - - - - - - - - - - - - -
Event Type:    Error
Event Source:    Microsoft Exchange Server
Event Category:    None
Event ID:    1000
Date:        21/05/2010
Time:        6:47:43 PM
User:        N/A
Computer:    SERVER
Description:
Faulting application exwmi.dll, version 6.5.7638.1, stamp 430e7361, faulting module ntdll.dll, version 5.2.3790.4455, stamp 49900d60, debug? 0, fault address 0x0001a379.
- - - - - - - - - - - - - - - - - - - - - - - -
The second error (Exchange Server) is always accompanied with two infomation events:
- - - - - - - - - - - - - - - - - - - - - - - -
Event Type:    Information
Event Source:    Microsoft Exchange Server
Event Category:    None
Event ID:    1001
Date:        21/05/2010
Time:        6:47:44 PM
User:        N/A
Computer:    SERVER
Description:
Bucket 1231528181, bucket table 1, faulting application exwmi.dll, version 6.5.7638.1, stamp 430e7361, faulting module ntdll.dll, version 5.2.3790.4455, stamp 49900d60, debug? 0, fault address 0x0001a379.
- - - - - - - - - - - - - - - - - - - - - - - -
AND
- - - - - - - - - - - - - - - - - - - - - - - -
Event Type:    Information
Event Source:    Microsoft Exchange Server
Event Category:    None
Event ID:    1010
Date:        21/05/2010
Time:        6:47:44 PM
User:        N/A
Computer:    SERVER
Description:
Bucket 1231528181, bucket table 1.
- - - - - - - - - - - - - - - - - - - - - - - -
Also, these two additonal information messages occur within each cycle before it repeats over and again in the same pattern:
- - - - - - - - - - - - - - - - - - - - - - - -
Event Type:    Information
Event Source:    MSExchangeSA
Event Category:    Monitoring
Event ID:    9095
Date:        21/05/2010
Time:        6:47:39 PM
User:        N/A
Computer:    SERVER
Description:
The MAD Monitoring thread is initializing.
- - - - - - - - - - - - - - - - - - - - - - - -
AND
- - - - - - - - - - - - - - - - - - - - - - - -
Event Type:    Information
Event Source:    MSExchangeSA
Event Category:    Monitoring
Event ID:    9096
Date:        21/05/2010
Time:        6:47:39 PM
User:        N/A
Computer:    SERVER
Description:
The MAD Monitoring thread is initialized.
- - - - - - - - - - - - - - - - - - - - - - - -

Any ideas anyone, I'm quite happy to troubleshoot, dig out information etc ???
we all hate errors in the log...Are you having particular issues?  Or just seeing the errors?
I did find the following which may give some further insight
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2004-10/2284.html 
Avatar of AusRick

ASKER

I haven't noticed particular malfunctions in the regular tasks this server performs, however the thousands of repeating errors have me concerned and I'd prefer to find the cause and address it.

Reading online about my error messages always points me toward Windows Management Instrumentation (WMI).

I don't know if WMI itself is malfunctioning, or a program or process trying to use it.

Thanks for the link, I think it will be useful and it led me to numerous other webpages. I've developed a workflow to try for a resolution:

1. Free up memory by limiting some bloated services like MSSQL$SBSMONITORING
2. Run SpyBot S&D to make sure I don't have infections.
3. Check the state of WMI and run the WMI diagnosis utility
4. Rebuild the WMI repository if required.

It's the weekend here now, so I'll sit down with this on Monday and report back. If anyone has any additional thoughts or comments, I'm all ears! :)
SOLUTION
Avatar of Cris Hanna
Cris Hanna
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I hate Symantec...period!  I've seen it destroy more servers.  I'm using firewalls with UTM abilities at all my customers now.  The less I put on the server the better!