Question WMIADAP.exe and WmiPrvSE.exe running in background at system start-up after 4 minutes recently, any ideas?

I have been having this bizarre issue last 1 week. I started noticing that in recent days that whenever I turn on my computer and launch Task Manager. After approximately 4 minutes WmiPrvSE.exe along with WMIADAP.exe starts running in the background as a SYSTEM username. I have done this experiment with multiple restarts and it always starts running after 4 minutes and 30 seconds by schedule.

350608d1636052031-wmiprvse-exe-running-background-system-start-up-after-4-minutes-wmiadap-wmiprvse-system-startup-after-4-minutes.jpg

This behaviour is not something I have noticed before ever in the last 2 years since running Windows 10. Something recent has occurred and system restore to an earlier date will not help either.

It will only end after 15 minutes and 57 seconds. So around the 16 minute mark it would disappear.

I did a system restore from last months date on October just for the benefit of the doubt and I am still noticing the same behaviour! No errors are showing in Event Viewer log and no integrity violations with SFC /Scannow.

Is there a way to find out what is triggering this to start after 4 minutes on Windows start up? This was never happening before!!! Now all of a sudden I started noticing this weird behaviour. It is not using much memory or CPU usage and no network activity.

I checked the exe file and it hasn't been tampered. My Windows 10 Pro version is 1903 (OS Build 18362.720).

I am not even launching any programs. My start-up programs are set to disabled. Even in Safe Mode this same behaviour occurs. Not only that, it will randomly start every half an hour/1 hour by itself even when I left my computer and go for dinner/breakfast I return back and I see them running in the background! Something that I've never seen happen before last 2 years since using Windows 10.
 

CParsons

Staff member
WmiPrvSE.exe is a normal process and can result in high CPU usage.


However... WMIADAP.exe, while legit also, is largely related to virus activity. You should run an antivirus, seek out removal tools or consider a reinstall.
 
  • Like
Reactions: Lutfij
Many thanks for your response.

I suspect WMIADAP.exe trigger to be suspicious. Although I can't be 100% certain. Because when it does launch, CPU usage is 0% and memory usage also seems normal. There are no background apps running.

Also I have observed there is no network activity either when it does launch along with WmiPrvSE.exe !

The actual WMIADAP.exe file is located in 4 legit locations and they are not modified.

The only thing I could suspect is that some viral script is triggering it to start on the 4th minute on PC boot up. I'm not actually launching anything other than Task Manager just to have an observation. Do you reckon whether this behaviour is normal to start on Windows 10 due to some setting change?

I will definitely do a virus scan. I find it strange that a Windows System Restore to an earlier date doesn't stop the behaviour. But I can't seem to find out what is triggering it to start.

PC reformat is something I would consider as a last resort as it's a big hassle to install everything from scratch just to fix this. There seems to be little information on what it does.

I do remember 2 years ago WMIADAP.exe launching with Google Chrome. But this behaviour now is new as I'm not launching anything. I even uninstalled Chrome, Opera GX, CCleaner, Zoom, etc just for the benefit of the doubt. But it's happening even in Safe Mode!
 
  • Like
Reactions: CParsons

MaddMann

A nerd that found his place
Community Contributor
Jan 17, 2020
263
329
2,270
Visit site
  • If WMIADAP.exe is located in a subfolder of "C:\Program Files", the security rating is 25% dangerous. The file size is 196,608 bytes. The program has no file description. The program is not visible. It is not a Windows core file. The WMIADAP.exe file is a Microsoft signed file. WMIADAP.exe is able to monitor applications.

  • If WMIADAP.exe is located in a subfolder of the user's profile folder, the security rating is 78% dangerous. The file size is 7,293,280 bytes. The program has no visible window. The file is not a Windows system file. The WMIADAP.exe file is a Verisign signed file. The file is certified by a trustworthy company. The process starts upon Windows startup (see Registry key: Run). The application listens for or sends data on open ports to a LAN or the Internet.
    Uninstalling this variant: You can also do the following:
    • search the support area on the Teamviewer website
    • uninstall the software TeamViewer using the Uninstall a Program function of Windows Control Panel (Windows: Start, Settings, Control Panel, Uninstall a Program)

  • If WMIADAP.exe is located in a subfolder of C:\Windows, the security rating is 80% dangerous. The file size is 6,218,976 bytes.
WMIADAP stands for WMI AutoDetect/AutoPurge

Hope this info helps. I know one recent change with that program relates to Skype, so if you use skype and have it starting with windows, it will likely trigger this to start as well.
 
Can't seem to bloody post on the forum. All my hardwork replying has been practically wasted....

"Your content can not be submitted. This is likely because your content is spam-like or contains inappropriate elements. Please change your content or try again later. If you still have problems, please contact an administrator."

WMIADAP.exe is located in the following areas in my system and all seem legit and unmodified.

C:\Windows\SysWOW64\wbem

C:\Windows\System32\wbem

C:\Windows\WinSxS\wow64_microsoft-windows-wmi-
core_31bf3856ad364e35_10.0.18362.1_none_96061d62d131d0ce

C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.18362.1_none_8bb173109cd10ed3

Anyway, everything seems too vague for me to understand. WMI AutoDetect/AutoPurge is too vague. I don't have TeamViewer or Skype installed.

But when WMIADAP does get triggered after 4 minutes and 30 seconds. This is what gets logged in Event Viewer.

When I check Event ID 5857 I get WMIProv provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3092; ProviderPath = %systemroot%\system32\wbem\wmiprov.dll

Edit: @CParsons thanks for correcting the spam filter!
 
Last edited:
I scanned my computer with Malwarebytes. Sadly no threats are detected after 4 hours.
0csAoY0.jpg

I was hoping for it to be a virus then at least if it was removed then the issue would've been solved. Unfortunately even then WMIADAP.exe still runs after 4 minutes and 30 seconds on my Windows 10 system.

Interestingly enough, I tested on my mum's Windows 7 machine and the exact same behaviour is occurring. But on my dad's Windows 8.1 system WMIADAP.exe does not get triggered nor WMIPrvSE.exe!

At this stage I'm pretty lost. Maybe my next attempt is to update Windows 10 to latest version and if that doesn't fix it then I may have to reformat Windows and reinstall from scratch. It's extremely disappointing to see that neither system restore worked, nor virus can can detect any threats! SFC /Scannow can't detect violations either and no one is able to tell me here on these forums their experiences either. :(
 

MaddMann

A nerd that found his place
Community Contributor
Jan 17, 2020
263
329
2,270
Visit site
Before going nuclear, you may want to post in the windows forums, they have many experts. From everything I can see, it doesn't appear this application is harmful in its use, but I can understand the caution of services that you do not expect running.
 
Ok, so I have posted on the Windows forums, including Windows Ten Forums and no one seems to have any clues or answered the question.

I have partially solved the problem, but not completely. After resetting WMI and deleting Process Explorer folder last week. This got rid of the constant WMIADAP.exe that occurred every 15-30 minutes. So it seems Process Explorer was a culprit. WmiPrvSE.exe was also something that started as a SYSTEM process along with it. This behaviour stopped.

However, still after 4 minutes and 30 seconds it continues to get triggered although once it ends after 16th minute mark at least this behaviour is no longer occurring.

But now I am getting this odd WMI Activity error at least once a day although as a SYSTEM process.

The other thing is that there are tons of network activities in the WMI Activity in Event Viewer. I don't know if this is normal. In just over 1 week I have had over 200+ instances of NETWORK WMI-Activity logged in Event Viewer.

Also launching Steam or SpeedFan will also trigger WMI errors every single time. I tried reinstalling those and it made no difference.

When I checked my dad's Windows 8.1 system he has 316 instances in over 3 months! What gives this? Again, I don't know if this is normal with Windows 10, never had a look at it until this issue started arrising with WMI Adapter.
 
I done yesterday a 3 hours Windows 10 update from 1903 to 20H2. Sadly this made things even worse! Not only doesn't it not solve the issue. Temporarily it stopped triggering WMIAdap at restart but then it magically came back.

Now I also have 2x WmiPRvSE.exe running at system startup!
5HqkNtv.jpg


I am completely lost! Before this never happened. What is triggering a second NETWORK SERVICE of this to start? This is after Windows 10 update 20H2. Before that I was using 1903 and this wasn't happening.

I also got new WMI Errors. Event ID. Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-22C5PHI; User = NT AUTHORITY\SYSTEM; ClientProcessId = 1444; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : Select * from NvWmiBrightness; ResultCode = 0x8004100C; PossibleCause = Unknown

This seems to be related to NVDisplay.Container.exe Is this benign? I updated graphics card drivers but it still triggers this WMI Activity error.

Also going back to WmiPRvSE.exe the Network Service disappears. But the WmiPRvSE.exe SYSTEM SERVICE is now always running in the background. Doesn't leave even after 16 minutes like before.

I seriously regret updating Windows to 20H2. If I knew I would've stayed on 1903. But I guess I have to live with these issues... :cautious:
 
Update: WMIAdap.exe vanished last 3 days, which no lnoger triggers at start up!

However, new issue started. And it is related to DeviceGuard.
353650d1638443790-there-any-way-disable-win32_deviceguard-win32_tpmprovider-win_32_deviceguard-provider-started.jpg


Despite Device guard showing Device Guard successfully processed the Group Policy: Virtualization Based Security = Disabled, Secure Boot = Off, DMA Protection = Off, Virtualization Based Code Integrity = Disabled, Credential Guard = Disabled, Reboot required = No, Status = 0x0.

WMI Activity Operations Log show this!!!!
Win32_DeviceGuard provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3168; ProviderPath = %SystemRoot%\System32\Win32_DeviceGuard.dll

Win32_TpmProvider provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3168; ProviderPath = C:\Windows\System32\wbem\Win32_TPM.dll

This is triggering this error... Id 5858 = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-XXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4912; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ID FROM Win32_ServerFeature; ResultCode = 0x80041010; PossibleCause = Unknown

I'm very disappointed because no one on this forum is able to tell me what is going on! All started since 20H2. I feel like reformatting windows and returning to 1903. But the problem is the official Microsoft website doesn't have 1903 available.

After restarting computer, indeed it goes away. But this is just like UPFC.exe. I think this is some sort of telemetry that Microsoft implemented every day to happen once at least.

It looks to me like absolutely every one has this at start up on 20H2. What a horrible operating system Windows 10 really is. It has given me depression this past 1 week troubleshooting! :mad:
 
  • Like
Reactions: Brian Boru
I'm very disappointed because no one on this forum is able to tell me what is going on
We're essentially a gaming forum. While we have knowledgeable hardware and software people in the community, it's not our core competence. Try a Windows forum like

telemetry that Microsoft implemented every day
Try installing this…
…and run thru the settings to disable the telemetry. I run it after the monthly MS update.
 
  • Like
Reactions: BLaZiNgSPEED
We're essentially a gaming forum. While we have knowledgeable hardware and software people in the community, it's not our core competence. Try a Windows forum like


Try installing this…
…and run thru the settings to disable the telemetry. I run it after the monthly MS update.
Many thanks for your suggestion. I have managed to return back to Windows 10 1903 as I had it backed up in my USB from 2 years ago.

I then used a registry to Specify_target_Feature_Update_version_to_1903 and set
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ProductVersion"="Windows 10"
"TargetReleaseVersion"=dword:00000001
"TargetReleaseVersionInfo"="1903"

What this essentially did is prevent Windows 10 from automatically downloading and upgrading to the latest 20H2 update! Basically it only searches for 1903 updates. This is basically a saviour!

Btw, regarding the telemetry, it appears that in Windows 10 20H2 Device Management Wireless Application Protocol (WAP) Push message Routing Service turns itself back on from disabled and also logs an error message in event viewer about the dmwappushservice being disabled!!! So indeed Microsoft seemed to have updated something to force this telemetry to turn itself back on. Be aware ShutUp10 doesn't seem to have an effect on 20H2!

As I returned back to 1903 Telemetry blocking seems to work again and this service doesn't revert back to Manual like before!

Most of the WMI Errors relating to Nvidia and also WMIAdap.exe vanished. However, I still get Win32_DeviceGuard and Win32_TpmProvider followed by a single error at start up each day, but I guess I can ignore this for now.

Going to stick to 1903 for now. As latest versions don't offer anything better in terms of performance.
 
  • Like
Reactions: Brian Boru
I have finally solved this mysterious error regarding Win32_DeviceGuard and Win32_TpmProvider!!!! :D

Turns out this has absolutely nothing to do with the actual Device Guard Virtualisation as some advised me on the Microsoft forums. This stupid error is triggered due to Device Information Task Schedule that is exclusive to Windows 10 only! You will not find this task schedule in Windows 7 or 8.1.
354688d1639338100-there-any-way-disable-win32_deviceguard-win32_tpmprovider-device-information-error-fixed.jpg

https://www.ghacks.net/2019/09/23/w...0-and-why-does-it-need-internet-connectivity/

This is basically another telemetry data collection that Microsoft uses to collect information about your system. This is why you get network spikes when this schedule runs.

The way I found out is that when the error occurred, it corresponded to the exact timing of the task schedule. I have observed this in my last error history that it matches the last task schedule run time. As soon as I disabled this task schedule, the error stopped occurring and you'll no longer get Win32_DeviceGuard and Win32_TpmProvider logged.

Microsoft Support failed to give me the right answer. They were giving me the Device Guard advice. I know that had nothing to do with it.

Somehow when I upgraded initially from 1903 to 20H2 the task schedule was reset back to default. But I had no idea that Device Information task schedule was responsible for triggering this error! Now I know and hopefully this should be helpful to others as well! :)
 
  • Like
Reactions: Brian Boru
So after nearly 4 months since re-installing Windows 10 the issue with WMIADAP.exe and WmiPrvSE.exe is back!!!

But guess what?! This time I have diagnosed the cause of the issue, it is related to the Daylight saving time zone clock change. The clock went 1 hour up as of last night at 1am UK time!

I turned on my computer earlier today and despite the clock being updated. WMIADAP.exe and WmiPrvSE.exe came back after 4 minutes and 26 seconds. WMI-Activity presented with 5 new Errors never seen before!

Error: Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-TJVRPR9; User = NT AUTHORITY\SYSTEM; ClientProcessId = 180; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WMIBinaryMofResource where Name = "C:\\Windows\\System32\\drivers\\en-US\\processr.sys.mui[PROCESSORWMI]"; ResultCode = 0x80041032; PossibleCause = Unknown

Error: Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-TJVRPR9; User = NT AUTHORITY\SYSTEM; ClientProcessId = 180; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WMIBinaryMofResource where Name = "C:\\Windows\\System32\\drivers\\en-US\\mssmbios.sys.mui[MofResource]"; ResultCode = 0x80041032; PossibleCause = Unknown

Error: Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-TJVRPR9; User = NT AUTHORITY\SYSTEM; ClientProcessId = 180; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WMIBinaryMofResource where Name = "C:\\Windows\\System32\\drivers\\en-US\\ACPI.sys.mui[ACPIMOFResource]"; ResultCode = 0x80041032; PossibleCause = Unknown

Error: Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-TJVRPR9; User = NT AUTHORITY\SYSTEM; ClientProcessId = 180; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WMIBinaryMofResource where Name = "C:\\Windows\\system32\\en-US\\kernelbase.dll.mui[MofResourceName]"; ResultCode = 0x80041032; PossibleCause = Unknown

Error: Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-TJVRPR9; User = NT AUTHORITY\SYSTEM; ClientProcessId = 180; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WMIBinaryMofResource where Name = "C:\\Windows\\System32\\drivers\\ACPI.sys[ACPIMOFResource]"; ResultCode = 0x80041032; PossibleCause = Unknown

Anyway, WmiPrvSE.exe kept running for 30 minutes in task manager before it disappeared. I restarted the PC one more time and it returned again after just over 4 minutes.

This time those errors didn't repeat but WMI-Activity shows Information: WMIProv provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4620; ProviderPath = %systemroot%\system32\wbem\wmiprov.dll

This time it disappeared after 15 minutes and 50 seconds. So it is clear that the Day Time Zone changes trigger this behaviour!!!

Last time October 31st 2021 was the last clock change and I came across the same problem, but never quite managed to diagnose the behaviour trigger.

Now this time the clock went 1 hour ahead and Windows 10 is triggering this behaviour again. Maybe it's related to me disabling Windows 10 Update through group policy editor.
 
  • Like
Reactions: Brian Boru