Why does wmiprvse.exe start with Firefox 32.0.1 in XP SP3?
Whenever I start Firefox, I see wmiprvse.exe load as a running process. I see this happen by using Sysinternal's Process Explorer. This has been happening since I updated to the current version of Firefox (32.0.1). It also happens whenever I start up the current version of Thunderbird (31.1.1). I have two questions:
1. Is this normal behavior? 2. If so, why is it necessary?
And just to clarify things, I have researched this for HOURS using "my friend" Google. I have also tried to get answers to these questions in various newsgroups to no avail. My copy of wmiprvse.exe is NOT infected (I ran it through Virustotal) and is only located where it is supposed to be on my hard drive.
Please help me by sticking to answers to the two questions I have, and bear in mind that I'm only talking about XP SP3.
The bug at
(The process WmiPrvSE.exe is launched on Firefox start-up) has been classed as resolved. The coder responsible for making wmiprvse.exe start with Firefox has added the following post to the bug discussion: ______________________________________________________________________________ David Major [:dmajor] 2014-09-25 14:56:07 PDT
Hi John and Yaron. I added that code. At the time, that AMD issue was one of our top sources of crashes. The crash was the result of a hardware issue on particular model CPUs and only appeared under certain timing conditions. Those conditions could be influenced by particular MSR values applied at startup by BIOS. AMD requested a breakdown of the crashes by OEM.
We didn't get a resolution on that bug, and usage of those CPUs has declined, but we're still finding the data useful for other crashes (as a proxy for system manufacturer, not necessarily the BIOS in particular).
There haven't been any changes in that area specifically for version 32. That code has been active since Firefox 27. To my knowledge it hasn't caused any problems, other than your surprise, which I hope I've addressed. ______________________________________________________________________________
Apparently he has no intention of removing the responsible code and doesn't consider wmiprvse.exe starting with Firefox to be an issue.
Well, my sincere thanks to OldSchoolCoder for discovering the cause of the phenomenon. Your research was above and beyond the call!
Now I know for sure that it's not caused by some kind of malware hijacking.Čítať túto odpoveď v kontexte 2
Ďalšie informácie o systéme
Nainštalované zásuvné moduly
- Shockwave Flash 15.0 r0
- PDF-XChange Viewer Netscape Gecko Plugin
- DivX VOD Helper Plug-in
- DivX Web Player version 188.8.131.528
- Identifikácia prehliadača: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
I should also mention that this happens whenever I start either Firefox or Thunderbird in the safe mode. It also happens when I create a new profile and start Firefox using that new profile.
This article says;
http://www.neuber.com/taskmanager/process/wmiprvse.exe.html Windows® Management Instrumentation (WMI) is a component of the Microsoft® Windows® operating system that provides management information and control in an enterprise environment.
I already know what wmiprvse.exe is for. As I mentioned in the original message: "And just to clarify things, I have researched this for HOURS using 'my friend' Google." Telling me where to obtain information about that process doesn't answer my questions. *sigh* I can see I'm going to have to go through the entire process all over again that I went through when I asked about this in various newsgroups.
I wish I could obtain simple answers to my two questions as I requested in my original message.
I have XP Pro 32 bit SP 3. Whenever I open PE, wmiprvse.exe always loads. Are you sure that FF is the reason? Try opening PE without anything else open.
It seems normal in some windows environments. Did you/ are you trying to stop wmiprvse.exe from running? an answer your 2nd question is that is how Win XP services handles communication to and from firefox. Also, is firefox the only program causing it to run?
I am absolutely positive that FF and TB are each starting wmiprvse.exe when either program starts. As I believe I said in another message to this discussion, I monitor things using Sysinternal's Process Explorer. Doing this, you can easily see that starting either Firefox or Thunderbird also immediately starts wmiprvse.exe. In fact, wmiprvse.exe starts before either FF or TB's program windows open. When I open PE (v.11.04 is what I'm using) wmiprvse.exe doesn't start also. However, Sysinternal's Process _Monitor_ *does* start wmiprvse.exe.
Another thing I've noticed is that I can use my batch file (Ctrl-Alt-W is assigned as a shortcut keystroke combination):
taskkill /f /im wmiprvse.exe
to easily kill wmiprvse.exe if I'm offline. If I'm *online* though, the batch file experiences a several second delay before running.
I wish a FF or TB developer would see this discussion. Probably they would be the only people who could definitively give a reason why this is happening.
I have noticed the same issue with SeaMonkey. This issue first occurred with SeaMonkey 2.24 which is equivalent to Firefox 27. Prior to that version, wmiprvse.exe was not loaded upon loading SeaMonkey.
I am also running Windows XP. Note that wmiprvse.exe is normally NOT running. It definitely loads with upon starting newer versions of SeaMonkey (2.24+) or Firefox (27+). I use Process Hacker to see what processes are running.
The question is what was changed in Firefox 27 (and inherited by SeaMonkey 2.24) which causes wmiprvse.exe to be loaded. Presumably some function is being called which causes the WMI service to be launched. This seems unnecessary since a browser should not need to use any of the functionality provided by WMI, this only serves to waste memory. Also once wmiprvse is started it can be killed without any noticeable impact so it doesn't appear to be used for anything beyond startup.
OldSchoolCoder, I'm sorry, I pressed the wrong button. Your reply WAS helpful to me! Wish there was a way to change it to a yes vote.
"The wmiprvse.exe file is otherwise known as Windows Management Instrumentation. It is a Microsoft Windows-based component that provides control and information about management in an enterprise environment.
Developers use the wmiprvse.exe file in order to develop applications used for monitoring purposes. These programs can notify users about important events related to network and file or application management right after each event occurs. With wmiprvse.exe, file managers in the enterprise environment are capable of configuring and searching for desktop system information or network and application information across the network."
When I look in my Services Module (%SystemRoot%\system32\services.msc /s), I see a listing for "Windows Management Instrumentation. And it is running. It's an automatic (by default) service. However, double clicking on the listing shows that the path to that service is "C:\WINDOWS\system32\svchost.exe -k netsvcs". Something isn't adding up and it's Microsoft's fault that this is so.
Regardless, there seems to be no justifiable reason that Firefox and Thunderbird should be using WMI unless it's for identification purposes.
I wish one of the programmers would step up and explain this phenomena.
Yes you will see WMI running (winmgmt) as part of one of the svchost processes but that's not exactly the same. wmiprvse is specifically part of Web-Based Enterprise Management (WBEM) which is connected to WMI. WMI is generally always running but wmiprvse usually is not and only loads on demand. Note wmiprvse can sometimes cause excessive CPU usage.
Something was done in Firefox 27 which calls for wmiprvse, only one of the programmers could actually say what and why it was done. Very likely it is something that is not necessary since it wasn't needed before and you can kill the wmiprvse task with no ill effects to the browser.
Sorry but that's not helpful, already saw that thread and there is no answer to the question there. The problem definitely is not Avast as I don't run that. The problem is definitely caused by a change in Firefox 27+ (which SeaMonkey 2.24+ inherits). On Windows XP, wmiprvse is usually not running but starting with Firefox 27 / SeaMonkey 2.24, loading those browsers immediately starts wmiprvse.exe as a job under one of the running svchost.exe services (the DcomLaunch one). This has been verified by watching the active tasks in Process Hacker which is an open source task manager similar to Process Explorer.
The question at hand is what was done that causes wmiprvse.exe to be loaded at browser startup on Windows XP. Can't someone get a developer to explain this what was changed and why ?
Upravil(a) OldSchoolCoder dňa
Cor-el and OldSchoolCoder, I've just reviewed the posts and links at the discussion Cor-el pointed out. Thanks Cor-el for pointing out Bug 1070123. I was almost at the point of posting the bug myself, but now I don't have to. I've posted a reply to the bug though, adding myself to the list of people who are experiencing this. Unfortunately however, none of the other posts or links at https://support.mozilla.org/en-US/questions/1021106 are of any help to me. I had high hopes for the page at http://blog.vilmatech.com/wmiprvse-exe-consumes-high-cpu-fix-wmiprvse-exe-error/, but in the end nothing there was of any use to me.
OldSchoolCoder, you say "Something was done in Firefox 27 which calls for wmiprvse, only one of the programmers could actually say what and why it was done". Where did you find that programmer and do you have a link to what he or she said?
HUH ? I didn't say that I found a programmer who already answered the question, I said that only one of the programmers would be able to answer the question.
The only other thing I can suggest is getting a tool like Process Hacker or DUMPBIN from Visual Studio and looking through the import tables of Firefox.exe or SeaMonkey.exe and all of its DLL files and try to find what function(s) reference something in WMI which causes wmiprvse to be started up and if found search the source code at lxr.mozilla.org to see what the code is doing.
After some research and detective work I suspect this is the cause: https://bugzilla.mozilla.org/show_bug.cgi?id=921609
Also see code here: http://mxr.mozilla.org/mozilla-central/source/toolkit/xre/nsAppRunner.cpp#3363
Apparently it was added to get the BIOS manufacturer, system name and system vendor for AMD. Seriously ? WMI is unnecessarily loaded because it was useful to debug one particular issue ? Also why the heck is the BIOS manufacturer relevant information for a crash anyway ? The 16-bit real-mode BIOS code definitely is not used by 32-bit protected-mode Windows.
Upravil(a) OldSchoolCoder dňa
OldSchoolCoder, thanks for doing that research and finding that info. I'm going to continue to monitor Bug 1070123 to see if the situation gets addressed. I might even post the info you provided about the coding. I'll be sure to attribute it to your research into the matter.
Disabling crash reporter by setting the environment variable MOZ_CRASHREPORTER_DISABLE=1 has no effect on this as there is no check for that in nsAppRunner.cpp before launching the thread which calls WBEM to get the BIOS manufacturer. See nsAppRunner.cpp function XRE_mainRun (currently line 3912) which is the command line startup. On line 3972 is the function to create the thread for function AnnotateSystemManufacturer_ThreadStart which in turn calls AnnotateSystemManufacturer which uses WBEM to the get the BIOS manufacturer which is what causes wmiprvse.exe to be loaded.
There is no good reason to get the BIOS manufacturer as a machine-specific crash would most likely be due to video card or video drivers, not system BIOS which isn't used by Windows except during very early startup (NTLDR) in real-mode. Once Windows is in protected-mode, the system BIOS code is of course not used, Windows only accesses some data (SMBIOS/DMI) from there and saves it. Causing wmiprvse.exe to be loaded just to get largely irrelevant info is questionable though wmiprvse.exe should terminate after 90 seconds.
Thank you OldSchoolCoder.
Up until a few days ago (i.e. before updating to FF 32.02), 'WmiPrvSE.exe' would not fire on FF start-up.
The last change in https://bugzilla.mozilla.org/show_bug.cgi?id=921609 was made in 2013.
With my limited knowledge, I didn't fully understand your explanation. And yet, are the above mentioned facts not contradictory to your conclusion?
Win 7, 32 bit. ___
I just got a reply in this post:
I stated several times that the problem first occurred with Firefox 27 / SeaMonkey 2.24. Notice that bug 921609 has a target milestone of Mozilla27, this is the release that the code was added to. Perhaps Firefox 32 is just when you first noticed it but the issue was introduced with Firefox 27.
There is no way to prevent the loading of wmiprvse.exe short of finding the code in whatever DLL has it and patching it out or building your own copy of Firefox or SeaMonkey, neither of which are trivial tasks.
Does the loading of wmiprvse.exe cause problems ? Possibly - wmiprvse is known to have issues and memory leaks, particularly on XP. It's hard to say for sure but I have noticed that SeaMonkey 2.24 and later do seem a bit sluggish (enough that I reverted back to 2.23).
Should the code to get the BIOS manufacturer have been added in the first place ? In my opinion no. I can't imagine why it would be relevant to a browser crash on Windows (or any other modern protected-mode OS) whether the BIOS is a Phoenix BIOS or a AMI BIOS. Note if you really must have this information it can also be obtained without WMI via the registry by reading HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBIOSVersion - yes the registry key can be changed by a user but how many users would actually do that and why would they as there is no good reason to manually modify that key. Again this is my opinion but I think that WMI / WBEM is a hacky and somewhat troublesome implementation and should be avoided if at all possible.
Thanks for the detailed explanation.
A number of users (same OS and FF version) in various posts say that the process isn't launched on their systems.
What might be the cause of the different behaviour?