Jump to content

WmiPrvSE.exe blocked by HIPS (Server 2012)


Go to solution Solved by itman,

Recommended Posts

Hello all,

resuming from this comment by Nightowl we're still observing thousands WmiPrvSE.exe blocked operations by HIPS in all our MS 2012 Servers (see attachment).

Yes I know, “Log all blocked operations” option can be disabled, but I’m wondering if all these events could impact system performance / stability somehow… why does this happen on 2012 (R2) only and not in subsequent versions?

Thanks

Gabriele

hips.jpg

Link to comment
Share on other sites

  • Administrators
1 minute ago, OP System said:

Yes I know, “Log all blocked operations” option can be disabled, but I’m wondering if all these events could impact system performance / stability somehow… why does this happen on 2012 (R2) only and not in subsequent versions?

It's a question for Microsoft, the maker of the OS and the file in question.

As you have correctly pointed out, logging of blocked operations should be disabled unless troubleshooting a HIPS related issue.

Link to comment
Share on other sites

Thanks Marcos,

Just for sake of knowledge, do you know why those operations get blocked or why on 2012 specifically? Maybe someone else already got through WMI tracing in the past…

Link to comment
Share on other sites

  • Most Valued Members
On 6/17/2021 at 12:06 AM, OP System said:

Hello all,

resuming from this comment by Nightowl we're still observing thousands WmiPrvSE.exe blocked operations by HIPS in all our MS 2012 Servers (see attachment).

Yes I know, “Log all blocked operations” option can be disabled, but I’m wondering if all these events could impact system performance / stability somehow… why does this happen on 2012 (R2) only and not in subsequent versions?

Thanks

Gabriele

hips.jpg

I didn't know what caused them to be honest also.

Link to comment
Share on other sites

  • Solution
On 6/16/2021 at 5:20 PM, OP System said:

Just for sake of knowledge, do you know why those operations get blocked or why on 2012 specifically? Maybe someone else already got through WMI tracing in the past…

Previously observing what Eset HIPS internal rules due at boot time, it will only block specific process activity rather than all activity from a process.

Your screen shot is in Italian so I can't determine what specific WmiPrvSE.exe activity is being blocked. But I have seen the same activity on Win 10 builds and it is not affecting any WmiPrvSE.exe functionality that I am aware of.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...