What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags

View all Tags

How can I find out which systems access the WMI services of a server?



In the Windows Task Manager, I can see that WMI is responsible for very high CPU load on my mail server. Is there a way to find out quickly which systems access this device via WMI?

connection cpu-load prtg windows wmi

Created on Jul 5, 2013 1:03:13 PM by  Gerald Schoch [Paessler Support]

Last change on Jul 5, 2013 1:20:38 PM by  Gerald Schoch [Paessler Support]

1 Reply

Accepted Answer



This article applies to PRTG Network Monitor 13.2 or later

Detecting Systems Accessing WMI Services of a Device

Monitoring devices via Windows Management Instrumentation (WMI) generally has a high impact on system performance. Thus, we recommend staying below 200 WMI sensors per probe. If you recognize a very high CPU load on a server which is caused by WMI services, find out which systems are responsible for that and consider cancelling those connections.

In order to find out the sources for WMI accesses on a device, use the command-line tool netstat. Provide the port WMI uses and filter for the corresponding status of the connection (i.e., established connections). You can also exclude connections coming from the monitored device itself by providing its fully qualified domain name (FQDN) and IP address.

Steps to Go

Open the Windows command shell. The corresponding command to find established connections to the respective target device looks like this: netstat -afno | findstr :135 | findstr ESTABLISHED | findstr /VI <netbios name of the allowed monitoring server> | findstr /V <IP-address of the allowed monitoring server>

  • –afno calls all connections with their fqdn (if possible) with numeric port numbers and process ID.
  • findstr :135 filters for lines which have 135 as port number. This is the standard port for WMI access.
  • findstr ESTABLISHED filters for connections which are currently existing; connections with status “waiting” or “listen” will not be shown.
  • findstr /VI filters for the case Insensitive FQDN of the monitored device to exclude connections coming from itself (replace the placeholder with the actual FQDN)
  • findstr /V filters out the IP address of the target device if it cannot be resolved to its FQDN (replace the placeholder with the actual IP address)

You can also simply list all WMI connections to the target device by leaving out the filters: netstat -afno | findstr :135 | findstr ESTABLISHED

As a result of this command, a list is given out which denotes the protocol, local address, remote address, status, and process ID of all connections to the target device.

Created on Jul 5, 2013 1:18:01 PM by  Gerald Schoch [Paessler Support]

Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.