Windows applications randomly hang when accessing WMI service
search cancel

Windows applications randomly hang when accessing WMI service

book

Article ID: 288182

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Windows applications randomly stop or hang, ranging from hours to days between events.
  • Problem seems to be worse on busier machines.
  • Problem occurs on wide range of Windows OS's.
  • Restarting the Windows WMI service fixes the hanging.
  • Placing the sensor host in Bypass mode fixes the hanging.
  • Running this get-process command from a PowerShell for the wmiPrvSE.exe process ID returns almost all  "Suspended" states:
username> (get-process -id 1234).threads.waitreason
Suspended
Suspended
Suspended
Unknown
Suspended
Suspended
.
.
.

Environment

  • Carbon Black Cloud Sensor: All Windows versions 3.7.x and earlier
  • Carbon Black Cloud Console: All Versions

Cause

This is issue DSEN-13250. The CB Cloud Windows sensor calls GetModuleHandleExW() after threads are suspended.

Resolution

  1. Upgrade the sensors to 3.8.x Windows sensors or higher.
  2. To workaround this "app-hook" issue hanging the WMI service for 3.7.x sensors and earlier:
    1. Add an API Bypass rule
      1. Edit the Policy for the target Windows sensor hosts
      2. Prevention Tab >  Permissions > Add a new Permission rule
        1. Check "Performs any API operation" and  Application(s) at Path: 
          *:\Windows\Sys*\wbem\WmiPrvSE.exe

Additional Information

Note that the API bypass will only prevent future occurrences and not "heal" sensor hosts currently in a bad state.

Powered by Wolken Software