3WMI Debug LoggingCC Hameed 4 Mar 2008 7:00 AM

Welcome back. After our series of posts on Windows Server 2008, today we're going to switch gears a little bit andlook at WMI Logging. We often get calls from customers regarding WMI issues beyond the Permissions or

Impersonation Rights problems that we've discussed in previous posts. In many of these cases, the WMI provider may behanging or is consuming an inordinate amount of resources. The problem is trying to identify what exactly is going onwhen the issue surfaces. One way to do this is by enabling some debug logging for WMI.

For Windows XP and Windows Server 2003, the log files created by WMI and various providers record events, trace ordiagnostic data, errors and other activities. Only a user with administrative privileges could access the WMI Logs folder.On Windows 2000 and Windows NT 4.0, nonadministrators could read the logs in the WMI log folder. Enabling loggingon Windows XP / Windows Server 2003, is a fairly simple process that does not require any service restarts unless youchange the log file location. To enable logging, open the Computer Management MMC snapin, expand the Servicesand Applications section and select WMI Control as shown in the image below:

Rightclick on WMI Control and select Properties. This brings up the WMI Control Properties dialog. Select the Loggingtab:

On this tab, you can set the various logging levels for WMI, the maximum size and location of the log file. You can alsoset the Logging Options through the modification of the appropriate values in this Registry Key:HKLM\Software\Microsoft\WBEM\CIMOM.

Changing the value for Logging determines the logging level for WMI. The possible values are:

0 No Logging / Disabled

Thoughts from the EPS Windows Server Performance Team

All AboutWindows Server

Cloud PlatformBlogs

DatacenterManagement

ClientManagement

Virtualization,VDI & RemoteDesktop

File & Storage &High Availability

Windows ServerManagement

Identity & Access

Ask the Performance Team Blog

1 Log Errors Only2 Verbose Logging

As indicated above, changes to the logging level take place immediately and there is no requirement to restart the WMIservice. If you modify the location of the WMI Log files however, you will need to restart the WMI service. For themoment, I am setting the logging level to verbose and running a very simple query using the WBEMTEST utility. Thequery I am using is Select * from Win32_ComputerSystem which returns the name of the machine:

If I look in the Log Folder directory, there are several log files to choose from. The WBEMCORE.LOG file is the one I needto review to see what was logged when I ran the query. Within this log, I can find the event for this particular query:

So, I can tell what query was running and at what time the time in the logs reflects the local time on the system. Thisinformation can be used to identify what WMI tasks may have been running when an issue occurred. However, the logsare not especially userfriendly. Enter Windows Vista ...

The WMI service does not use the WMI Log files in Windows Vista. Instead, we use Event Tracing for Windows ETW andevents that are available through the Event Viewer UI or the WEVTUTIL command line tool. To enable WMI tracingthrough Event Viewer, the first thing we have to do is show the Analytic and Debug Logs. Click on View, then select ShowAnalytic and Debug Logs:

Once these logs are displayed, you will be able to enable tracing. Expand the Applications and Services Logs sectionand then the Microsoft \ Windows sections:

Find the WMIActiivity folder and expand it you should see a Trace log below that:

Right click on the Trace log and select Enable Log. That's it. Trace Logging is enabled. To change the log size, you haveto disable the logging first, then set the size and reenable logging. So now that I have logging enabled, let's run theexact same query from WBEMTEST again. Within the Trace Log, I can see lots of events and the format is much moreuser friendly:

Tweet 2 Save this on Delicious0Like Share

Anonymous5 Mar 2008 3:50 AM

uday31in 19 Jun 2008 10:35 PM

Karina4 Jan 2011 5:08 PM

I can track the operation ID, see the query that was executed, the client machine that it was executed on, the User name,the Client Process ID and the Namespace to which I was connected all from one event. This makes tracing the eventswithin WMI much easier when trying to track down problems.

OK, that will do it for this post. Until next time ...

CC Hameed

Share this post :

PingBack from http://www.ditii.com/2008/03/04/wmidebuglogging/

Is it possible to use WMI to a server behind NAT?

e.g. Public IP x.y.z.123 is mapped to 192.168.1.123. Can I run WMI queries against this server from internet if my IPis allowed to communicate on all port?

Uday

Is it possible to use GPO for enable WMI debug logging on windows 2008 r2 servers? I have more than 100servers and enable logging on that way will take long time to complete.