We are experiencing on our 2012R2 servers that the wmiprvse.exe is listening to a large number of UDP ports. Over time it just keeps adding up. If the server has been up for like a month there can be hundreds (nearly thousand) of ports listening. All of them listens on the IPv4 loopback interface. They are all a very high number like over 40000. Cannot locate the problem with procmon what is causing the ports to listen so I am asking if anyone knows if this is the expected behaviour or how to solve it? For your information the servers vary in installation date and what patches have been installed on then. They have SCCM agent installed on them if that helps anybody with answers.
Asked
Active
Viewed 2,832 times
2 Answers
0
We investigated why the ports triggered and could finally relate it to when gpupdate schedule runs. Every time gpupdate runs a port is opened. We also have a SAM (software asset management) agent installed that meters application usage etc. The ports stayed open if the scanning agent did a scan at the same time gpupdate was running. Lowering the scanning interval resolved the issue for us.
user2782999
- 123
- 3
- 7
0
Also, see UDP port leak in Wmiprvse.exe when a WMI Group Policy filter is used:
Cause
Every time that the process loads and unloads WLDAP32.dll, a socket handle is allocated and is not released. Therefore, the source ephemeral port remains bound. This causes source port exhaustion over a long time.
This behavior is by design. It affects the way that WLDAP32.dll uses sockets in order to address a kernel limitation and prevent a deadlock that could otherwise occur on the system.
Anton Gogolev
- 1,572
- 3
- 16
- 22