What can I do when my WMI sensors in PRTG are showing errors? Can you provide trouble shooting steps?
General introduction to WMI and PRTG
Every so often, customers who use our monitoring tools (for example PRTG Network Monitor) report issues when they try to monitor their systems using WMI (Windows Management Instrumentation) sensors. In most cases, these issues stem from a malfunctioning WMI configuration/installation. For example, we have noticed that many times when WMI issues arise, one (or multiple) WMI components that are crucial for proper WMI monitoring are missing or have not been implemented properly.
Please note: Before we go any deeper into troubleshooting, it is necessary to have a good knowledge of the principles and functions of WMI. Please refer to the following Microsoft article for frequently asked questions about WMI:
Please ensure the following:
- DCOM is enabled on the probe and the target computer. Check the respective registry entry.
- The user whose credentials are specified for monitoring WMI is a member of the Domain Administrators group in the same Active Directory as the target computer. If a target computer is outside of a domain, the user has to be a member of the local Administrators group and of the DCOM group and of the Performance Monitoring group on this machine.
- The monitoring user’s access rights on COM and WMI include remote access rights for the target computer. Read about Securing a Remote WMI Connection on MSDN.
- The target computer's Windows Firewall is set to allow WMI. MSDN features an article on this topic for XP and W2k3: Connecting to WMI remotely with VBScript. For computers with Vista and later Windows versions, read this article on MSDN: Connecting to WMI on a Remote Computer.
- If the firewall is enabled by group policies, you have to enable the "Allow Remote Administration Exception" as outlined in this Addicted to IT article: Group Policy: Windows Firewall setting to allow your WMI scripts to run
- The RPC server that is used for WMI on the target computer is running on the port that is specified in PRTG (135 by default).
- DCOM and RPC need open high ports in the 49152-65535 range on Windows Vista and Windows Server 2008 or later. In previous Windows versions, ports in the 1024-5000 range are required. Some customers have found that opening TCP port 1091 helped them to get a connection. For more information, see the article
Service overview and network port requirements for Windows.
To define a more specific port range for DCOM, follow these steps:
- Run dcomcnfg to open the DCOM console.
- Open Components Services | Computers | My Computer.
- Right-click My Computer and choose Properties from the context menu.
- Open the Default Protocols tab.
- Open the Properties... of Connection-oriented TCP/IP.
- Define the port range you want DCOM to listen at. Set a minimum of 100 ports in the 49152-65535 or 1024-5000 range, depending on the Windows versions in your environment.
- Security software: It is always a good idea to double-check that no local security software (anti-spy, anti-virus, and others) on either side is blocking WMI connections.
- If you do not get a WMI connection, try to restart the WMI service manually or change the IP address of the target server to its DNS name in the device settings in PRTG. This establishes a completely new WMI connection, which might help.
Troubleshooting in detail
Please refer to the following articles for further information:
- WMI Tools Overview
- The Most Common WMI Errors
- PRTG WMI Error Messages
- Monitoring via WMI: WQL Queries
- How to Fix the WMI Sensors Error PE263
- Troubleshooting 'Connection could not be established' Error Messages
You can find a very good external article for troubleshooting WMI here:
Tips against slowness on Vista and Windows 2008 are found here:
If you are monitoring a massive number of hosts with one probe, the following article might help. Keep in mind, however, that it is always a good idea to distribute WMI queries over one or more Remote Probes.
If you are experiencing high handle count in WMI service (Winmgmt) or WMI provider (wmiprvse.exe), please see this article:
PRTG settings for WMI
PRTG offers a few settings for dealing with WMI issues:
Tips and tricks
The following articles provide guidelines for special scenarios:
- Monitoring WMI Sensors Outside a Domain
- Avoiding Memory Leaks Caused by the 'Win32_Service' WMI Class
How to repair WMI
If all else fails, we have gathered some procedures that might fix the WMI system on affected computers:
Another good article about all issues regarding WMI can be found under:
This reference provides a list of WMI providers, information on the COM API for WMI, WMI queries, WMI log files, WMI security, WMI tools, and WMI infrastructure objects and values.
Further articles of interest, which provide more detail than the troubleshooting articles above, and which relate to particular aspects of WMI configuration can be found under :
Maybe a little addition.
If you query your WMI from within a powershell on Windows 2008R2, you maybe get a Class not Found error. Remember that PRTG uses the 32-bit powershell as default.
Execute your powershell script in powershell 32-bit, receive the same error? Execute your powershell script in powershell 64-bit, error resolved? Than execute your script in a 64-bit powershell by calling it from a commandline in your 32-bit script.
start.ps1 <- the 32-bit, notice the sysnative folder.... c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -file "C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXE\<script>.ps1"
main.ps1 your working 64-bit WMI script.....
Nice thing to know is that you still can use arguments...
I can't really understand what prevented you from developing something like "WMI proxy" which will run as a service on remote machine and execute all the WMI queries - there won't be any overloads, permission issues, flickering issues and so on...
we want to avoid the need to install and maintain extra software on the hosts you monitor.
@Vadim Doroginin: Actually we did develop such a service. It's called "Remote Probe" and can be installed on one, or a few, or all your machines in your network. But it's a lot of work to install a software on all machines in a network and in most cases it is not necessary.
A huge majority of PRTG users is using WMI just fine to monitor their networks with hundreds or even thousands of Windows PCs.
And for those who do have problems with WMI there is the option to install Remote Probes.
Windows Server 2008 & 2008 R2 WMI Defects
Paessler: please consider making the relevant information below part of the body of your KB article. I hope it helps someone else.
A while back I started closely monitoring the WMI service on the various servers that often false alarm during WMI overload. Most often, the free space check would fail returning a null or zero value instead of the correct value for free disk space. To troubleshoot, I added the PRTG WMI service monitor for the WMI Service itself with a 60 second interval. I also monitored the system and application event logs with 15 minute intervals. It helped to get more specific errors about what was going on with WMI. Most often I'd get one of these errors in succession:
- WMI Free Disk Space [Multi Drive]: 0 % (Free Space C:) is below the error limit of 10 %
- Windows Management Instrumentation (WMI Service) Warning: 80041006: There was not enough memory for the operation.
- Event Log (Windows API) Value changed: Faulting application wmiprvse.exe, version 6.1.7600.16385, faulting module 4a5bc794, version ole32.dll, fault address 0x6.1.7600.16624
Armed with this new information, I was able to find two Microsoft KB articles that seemed to match the symptoms:
- 958124 A wmiprvse.exe process may leak memory when a WMI notification query is used heavily on a Windows Server 2008-based or Windows Vista-based computer
- 954563 Memory corruption may occur with the Windows Management Instrumentation (WMI) service on a computer that is running Windows Server 2008 or Windows Vista Service Pack 1
Applying these two hotfixes stopped the false alarms on my Windows 2008 and 2008 R2 servers.
great finding, thanks a lot for this!
I've added your solution to our Most common WMI errors article.
To have WMI to work on 2k3 with firewall, I've opened port 1091 TCP.
Here's the DEBUG solution we've used to see this :
- start windows firewall logging and check the logs for dropped connections Go to the Windows Firewall, Advanced settings Security Log group-box -> Click on Parameters button Select "Log dropped packets" Look at the log file location (if not present define one) Click OK
You can now press 'Windows + R' and then type '%WINDIR%\pfirewall.log' to see what's wrong.
If WMITest shows Error 800706BA: In Windows Firewall enable port TCP 1091 and TCP 56301
If WMITest show Error 8007005 for Windows Pro with firewall off : Disable simpe file sharing. Method 1: Explorer -> Tools -> Folder options -> Display -> Simple file sharing
Method 2 : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Set 'forceguest' to 0
a great thanks to ERIC Drezet from CNRS who give me a simple working solution.
It works for Windows XP : Netsh firewall set service remoteadmin enable
For Windows 7, we must have a closer look because netsh firewall [...] has been replaced by netsh advfirewall [...]
it should be something like (don't work for me): NETSH advfirewall firewall SET rule group="remote administration" new enable=yes
but this command seems to works (even if depreciated) : netsh firewall set service type=remoteadmin mode=enable
CAUTION : it seems that UAC will block these commands to work.
80070005: Access is denied SOLVED
Just delete the device and "add" it again to your prtg monitor Group. Do an automatic discovering and it will work fine again. Try it.
Hey everyone.. I had been struggling for ages with a server that just suddenly stopped responding to WMI. Throwing a mixture of PE015, 80041002 (Object Not Found).
I tried everything across all the WMI threads on here and had no luck.
I found a guy online talking about general WMI errors, and I followed through some of the steps he had posted and boom! Working WMI sensors.
It boiled down to rebuilding WMI on the target server.
I've written up my process here: http://craigerrington.com/blog/prtg-wmi-repair-80041002/
@CraigE: Thanks for sharing your findings!
The prtg kb has been a godsend and so far solved any issues I encountered, namely WMI sensor issues that may relate back to the probe dependencies not being met. Thank you.
Please, update this article to not recommend adding the PRTG service account to the DOMAIN ADMINS. It's 2016, such blatant insecurity is not an acceptable solution to this problem!
We have the same doubts as you have about using domain admin credentials for WMI Montioring. However, it's the most reliable option for all WMI / Performance Counters that the sensors monitor. Bear in mind, we do not define the necessary permissions / privileges to access those counters. That's done by Microsoft and potentially the Windows Admins in an organization. PRTG can only adapt to it.
@PRTG, is it true, that WMI does not work over a NATed network?
We recommend actually to use Remote Probes in a NAT-scenario. Place a Probe into the subnet and configure it to connect back to the PRTG Core Server. That usually also resolves any administrational struggles then when alerts happen, to see in which actual subnet they happen.
I have been breaking my head on this one, WMI is working on my servers, but on some servers, the Free Disk Space (Multi Drive) sensor can't seem to get out of an error state (unexpected result). SNMP free disk space works in these cases. I tried to use Free Disk Space (Multi Drive) sensor per drive, and it appeared that only some drives fail.
Solution: be sure the account you use for logging in with WMI has some read rights to the drive. For security, root-only Read-only is enough.
I'm having a nightmare getting the WMI sensors to work on Windows Server 2016.
I've meticulously followed the guides and troubleshooting steps, set permissions in DCOM, WMI, ensured the services are running, allowed WMI through the Windows Firewall (even though the firewalls are set to off) and ensured PRTG is using the right credentials.
I was getting an error PE015 but now they just show as Down. I've run the WMI Tester utility from my PRTG server and directed it at my target system with the same credentials configured in the PRTG sensor, and the WMI Tester successfully pulls WMI data. The sensor stubbornly does not.
I've rebooted both host and PRTG server, checked and double-checked but no dice.
Is there any additional checks I can do, logs I can review or steps I can attempt?
Any help at all would be greatly appreciated!
Thanks for your KB-posting.
Please open a new support ticket, using the ticket number PAE969863, and forward us a complete support bundle for analysis.
Also, please create and forward us Probe State Files from the affected probe device (local probe or remote probe).
Thank you very much in advance.
please add the topic: User Account Control and WMI https://docs.microsoft.com/de-de/windows/win32/wmisdk/user-account-control-and-wmi?redirectedfrom=MSDN
I had trouble with Remote-WMI on Windows 10/1903. I got an Access denied from the Win10-machine. Creating a local administration-user did not work. I found a solution here:
Windows PowerShell PS C:\Windows\system32> get-service winrm Status Name DisplayName ------ ---- ----------- Stopped winrm Windows-Remoteverwaltung (WS-Verwal... PS C:\Windows\system32> enable-PSRemoting -force WinRM wurde aktualisiert, um Anforderungen zu empfangen. Der WinRM-Diensttyp wurde erfolgreich geändert. Der WinRM-Dienst wurde gestartet. WinRM wurde für die Remoteverwaltung aktualisiert. Die WinRM-Firewallausnahme ist aktiviert. "LocalAccountTokenFilterPolicy" wurde so konfiguriert, dass lokalen Benutzern remote Administratorrechte gewährt werden.
if i recall correctly, in a situation where you have older windows installs on a lan with no CD or name service, you will need to either disable UAC on clients or alternatively setup specific trust relations in WMI by way of scripting
WMI Service Sensor (for Windows Service Monitoring via WMI) will only work on some of our servers. On the rest, the "80041003: The current users does not have permission to perform the action" message appears, when the PRTG WMI Service Sensor attempts to activate via the PRTG web interface. Does anyone know which "permission" this error may be referring to and/or have any additional guidance for what to check? We have multiple servers that are configured the same and WMI Service Sensor DOES work. Curiously enough, WMI Disk, WMI CPU and WMI Memory all work. That suggests that our WMI is functional. What are the additional requirements of WMI Service Sensor beyond what WMI CPU, WMI Memory and WMY Disk require? Thanks!
To add to this, the Windows built-in "administrator" account does allow WMI Service Sensor to activate and function. We of course cannot use this account for PRTG purposes. How can a a local Windows account that 100% mirrors "administrator" be created? Manually creating a local account that has all of the required group memberships and WMI settings associated with it did not work.
as the necessary rights are not well documented by Microsoft, we can only recommend to use an administrator user here.
As alternative, you could enable the SNMP service and allow remote SNMP access, and then use the SNMP Windows Service sensor.
Arne - Please elaborate. The local Windows built-in "administrator" account will enable PRTG WMI Service Sensor to function but if I create a local Windows account that is a member of "administrators" group, PRTG WMI Service Sensor fails to function. How do I create a Windows local administrator account that will work? Thanks in advance for your guidance!
this would be a question for Microsoft. PRTG creates a WMI connection using the credentials provided to PRTG, Windows then determines if those are accepted or not.
Details about what exactly does work and what does not work seem to change with different Windows versions, or with Windows settings. If we had more details, we would share those.