O R G A N I C / F E R T I L I Z E R: misc: an additional method to resolving wmi failures...

Feb 21, 2008

misc: an additional method to resolving wmi failures...

it's understated to say that issues with wmi are nebulous problems.  i've blogged about it a couple of times in the past, each with a potentially different solution.  there are even pretty in depth posts with how to correct wmi problems.  here's some links for starters:

http://marcusoh.blogspot.com/2006/03/sms-addressing-wmi-corruption.html
http://marcusoh.blogspot.com/2008/01/mom-correcting-most-troublesome-mom.html
http://www.microsoft.com/technet/scriptcenter/topics/help/wmi.mspx

they contain some of the more common ways of troubleshooting wmi problems.  there's going to come a time when none of it works.  you'll be tempted to rebuild the entire repository just to beat down the recalcitrant system.  before doing so, try this method that one of my coworkers used to correct a problem issued when issuing this query:

select * from win32_networkadapter

this would kick back error # 0x80041013 - "provider load failure".  (you may be more familiar with it as wbem_e_provider_load_failure) knowing that this was a problem with the win32_networkadapter class, it was tracked back to these requirements.  what was believed to be the offending .dll and .mof (cimwin32.dll and cimwin32.mof) files were copied from another working system and compiled/registered.  well... that didn't fix it.  yeah, surprise.

wmidiag.vbs was executed against the system to see what it could locate.  these are the results that came up of notable interest:

92567 15:12:33 (1) !! ERROR: WMI EXECQUERY operation errors reported: ..................................................................... 1 ERROR(S)!
92568 15:12:33 (0) ** - Root/CIMv2, Select * From Win32_NetworkAdapter WHERE AdapterType IS NOT NULL AND AdapterType != "Wide Area Network (WAN)" AND Description != "Packet Scheduler Miniport", 0x80041013 - (WBEM_E_PROVIDER_LOAD_FAILURE) COM cannot locate a provider referenced in the schema.
92159 15:12:33 (0) ** 1 error(s) 0x80041013 - (WBEM_E_PROVIDER_LOAD_FAILURE) COM cannot locate a provider referenced in the schema
92160 15:12:33 (0) ** => This error is typically due to the following major reasons:
92161 15:12:33 (0) **    - The application queried by the WMI provider is not installed, not available or not running
92162 15:12:33 (0) **      at the time of the request was made. This error can also be generated because 
92163 15:12:33 (0) **      the application supporting the providers has been uninstalled.
92164 15:12:33 (0) **    - Some WMI providers (i.e. RSOP Planning Mode, Exchange 2003) are implemented as a WMI service.
92165 15:12:33 (0) **      Make sure the required services are successfully started.
92166 15:12:33 (0) **    - The WMI provider binary files are not accessible (i.e. access denied ACL).
92167 15:12:33 (0) **    - A WMI provider registration problem at the CIM level (MOFCOMP.EXE) or at the COM level (REGSVR32.EXE).
92168 15:12:33 (0) **      You must re-register the WMI provider by recompiling its associated MOF file with MOFCOMP.EXE
92169 15:12:33 (0) **    Note: - If the WMI provider DLL CIM and COM registrations are correct, this error can
92170 15:12:33 (0) **            be returned because the provider has a dependency on another DLL that cannot be
92171 15:12:33 (0) **            loaded (missing or bad DLL)
92172 15:12:33 (0) **          - Dependencies can be found with the DEPENDS.EXE tool coming with the
92173 15:12:33 (0) **            Windows XP and Windows 2003 Support Tools. The command line is as follows:
92174 15:12:33 (0) **            i.e. DEPENDS.EXE <PATH><Provider.DLL>
92175 15:12:33 (0) ** => When a WMI provider fails to load, it is possible to trace the provider load process by
92176 15:12:33 (0) **    submitting, via WBEMTEST and asynchronously, the following WMI event query:
92177 15:12:33 (0) **    'Select * From MSFT_WmiSelfEvent'
92178 15:12:33 (0) **    Then you can trace the following WMI events:
92179 15:12:33 (0) **    - Msft_WmiProvider_ComServerLoadOperationEvent
92180 15:12:33 (0) **    - Msft_WmiProvider_InitializationOperationEvent
92181 15:12:33 (0) **    - Msft_WmiProvider_LoadOperationEvent
92182 15:12:33 (0) **    and depending on the WMI operation executed, you can trace the following WMI events:
92183 15:12:33 (0) **    i.e. for an enumeration:
92184 15:12:33 (0) **    - Msft_WmiProvider_CreateInstanceEnumAsyncEvent_Pre and Msft_WmiProvider_CreateInstanceEnumAsyncEvent_Post
92185 15:12:33 (0) **    i.e. for a put operation:
92186 15:12:33 (0) **    - Msft_WmiProvider_PutInstanceAsyncEvent_Pre and Msft_WmiProvider_PutInstanceAsyncEvent_Post

when i looked at the logs originally, i glossed over it and tried to execute the query in the wrong context.  my coworker had a bit more diligence about it and did it right.

the real stuff to look at is where i bolded and underlined the results.  to use this, execute the "select * from msft_wmiselfevent" in the namespace where the problem exists.  it must be executed as an asynchronous notification query.  (The namespace for win32_networkadapter is root\cimv2, for example.)

crap[8]

wbemtest: these are the data elements to choose for asynchronous notification queries

once you execute the query, leave the window open and perform the following:

  1. switch the method invocation options to "semisynchronous".
  2. use the "query" button and execute the problem query statement.
  3. switch back to the window running the msft_wmiselfevent query.

hopefully you'll see where the problem occurs.  in our case, the problem traced back to "brcmgroup provider" which turns out is a broadcom cim provider.  once this was removed, the problem went away.  good job, chris.  here's a link to his post about this topic.