WMI (Windows Management Instrumentation) Monitoring

WMI Monitoring is the process of collecting system information from Windows devices using Windows Management Instrumentation, including metrics like CPU, memory, disk, and service status.

ThirdEye uses the HTTP/SOAP based WS-Management protocol to retrieve Windows Management Instrumentation(WMI) objects.

The following objects can be retrieved currently:

  • Win32_PerfFormattedData_PerfOS_Processor (CPU Monitoring)
  • Win32_PerfFormattetedData_PerfDisk_LogicalDisk (Disk Monitor)
  • Win32_PerfFormattedData_PerfOS_Memory (Memory Monitoring)
  • Win32_PerfFormattedData_PerfProc_Process (Process Monitoring)

You can also get the configuration of the current listener by running: winrm enumerate winrm/config/listener

PS C:\Users\Administrator> winrm enumerate winrm/config/listener
Listener
 Address = *
 Transport = HTTP
 Port = 5985
 Hostname
 Enabled = true
 URLPrefix = wsman
 CertificateThumbprint
 ListeningOn = 127.0.0.1, 192.168.40.66, ::1,
2001:0:348b:fb58:1077:394:3f57:d7bd, fd14:5839:664d:40:58c0:c882:310d:3

Non-Secure HTTP Connections

By default, only encrypted traffic is allowed. If you want to monitor using HTTP, execute the following to allow unencrypted traffic: winrm set winrm/config/service '@{AllowUnencrypted="true"}'

PS C:\Users\Administrator> winrm set winrm/config/service '@{AllowUnencrypted="true"}' 
Service
 RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
 MaxConcurrentOperations = 4294967295
 MaxConcurrentOperationsPerUser = 1500
 EnumerationTimeoutms = 240000
 MaxConnections = 300
 MaxPacketRetrievalTimeSeconds = 120
 AllowUnencrypted = true
 Auth
 Basic = false
 Kerberos = true
 Negotiate = true
 Certificate = false
 CredSSP = false
 CbtHardeningLevel = Relaxed
 DefaultPorts
 HTTP = 5985
 HTTPS = 5986
 IPv4Filter = *
 IPv6Filter = *
 EnableCompatibilityHttpListener = false
 EnableCompatibilityHttpsListener = false
 CertificateThumbprint
 AllowRemoteAccess = true

Basic Authentication Settings

If you want to use Basic authentication, run winrm set winrm/config/service/auth '@{Basic="true}'. If the system is not joined to a domain (WORKGROUP), enable Basic authentication:

PS C:\Users\Administrator> winrm set winrm/config/service/auth '@{Basic="true"}'
Auth
 Basic = true
 Kerberos = true
 Negotiate = true
 Certificate = false
 CredSSP = false
 CbtHardeningLevel = Relaxed

WMI Credential Settings

Register the username and password used for authentication in the credentials.

Set the Username to “VTY Username” and the password to “VTY Password”.

Monitors using WMI support the following monitoring functions:

  • Windows Disk (collects disk usage metrics)
  • Windows Memory (collects system memory metrics)
  • Windows Processor (collect CPU usage metrics)
  • Windows Process (Collect metrics for processes)

Add WMI Monitor

Monitors can be added to the device details screen and monitor sets in the same way as other monitors. The following describes the procedure for adding monitors using monitor sets.

  1. Click the [Monitor] main tab.

  2. Click the [Sets] subtab.

  3. Click to open the [Create Monitor Set] window, and add a monitor set.

  1. Click the added monitor set, then click [Add Monitor] > [WMI].

  1. Set the monitor name, interval, data storage period, and optional triggers.

The following metrics can be obtained by each plugin for a monitor:

Plugin Metric Description
Windows Disk Uses Win32_PerfFormattedData_PerfDisk_LogicalDisk class
Free Space (Megabytes) Refers to “FreeMegabytes”
Free Space (%) Refers to “PercentFreeSpace”
Idle Time (%) Refers to “PercentIdleTime”
Read Time (%) Refers to “PercentDiskReadTime”
Write Time (%) Refers to “PercentDiskWriteTime”
Disk Time (%) Refers to “PercentDiskTime”
Bytes Per Second Refers to “DiskBytesPersec”
Bytes Read Per Second Refers to “DiskReadBytesPersec”
Bytes Written Per Second Refers to “DiskWriteBytesPersec”
Reads Per Second Refers to “DiskReadsPersec”
Writes Per Second Refers to “DiskWritesPersec”
Windows Memory Uses Win32_PerfFormattedData_PerfOS_Memory class
Bytes Available Refers to “AvailableBytes”
Bytes Cached Refers to “CacheBytes”
Bytes Committed Refers to “CommittedBytes”
Page Faults Refers to “PageFaultsPersec”
Windows Processor Uses Win32_PerfRawData_PerfProc_Process class
Idle Time (%) Refers to “PercentIdleTime”
Interrupts Time (%) Refers to “PercentInterruptTime”
Privileged Time (%) Refers to “PercentPrivilegedTime”
Processor Time (%) Refers to “PercentProcessorTime”
User Time (%) Refers to “PercentUserTime”

  1. Click [Plugin Library] to select plugin.

  2. Click [OK] > [Save].

WMI Live Service Monitor

The WMI Live Service Monitor in Thirdeye provides real-time visibility into Windows process activity through WMI (Windows Management Instrumentation). It tracks process creation/termination events, resource utilization (CPU/memory), and parent-child process relationships. This monitor acts as a critical security and operational tool, detecting unauthorized processes, identifying resource bottlenecks, and maintaining compliance through granular process auditing. Integrated with Thirdeye’s alerting system, it triggers notifications for abnormal process patterns while correlating data with other system metrics for root cause analysis.

Columns (Metrics)

  • Service Name
  • Description
  • Status
  • Startup Type
  • Assigned Application

Tooltips

You can mouseover the Service Name for Tooltips that offer further information about the service. Tooltips contains the following information about the Service:

  • Name
  • Description
  • Process Id
  • Log On As
  • Path
  • Services which are dependent on this service

Operations

  • Start Service
  • Restart Service
  • Stop Service

Timing Data

  • Open Live Process Monitor Page: Monitor setup time about 120s
  • Live Monitor Refresh interval: Refresh interval about 30s
  • Device Single Process Monitor (Process instance stopped / started): Poll interval about 30s

Windows Server Credentials

You can configure credentials for the Windows Server in the device credentials settings. Hostname is used for the connection, so the IP address of the Windows VM must be used as the device hostname. Process monitoring is also performed using the Windows server host name.

WinRM Configuration

WMI Live Service Monitor is available for Windows servers that have WinRM enabled and configured. When WinRM is enabled on the Windows Server, performing discovery will add a wmi trait to the device.

Access WMI Live Service Monitor

To access WMI Live Service Monitor:

  1. Click the [Inventory] main tab.

  2. Rightclick the Windows Server.

  3. Click [Windows Processes] to open the "WMI Live Service Monitor Authentication " window.

Note:

the Windows Processes menu item will only be available on right click if the device has a wmi trait.

Configure WMI Live Service Monitor

  1. Configure WinRM Authentication settings in the "WMI Live Service Monitor Authentication window.

Item Description
Port Specify the WMI port. By default, “5986” is used when encryption is set to “https”, and “5985” when set to “None”.
Encryption Method Select “https” or “None” based on your environment.
Path Name Change the path if it has been modified on the server side. The default is “/wsman”.
Authentication Method Select “Negotiate” or “Http Basic” based on your environment.
AD Realm Enter the realm. (Only when the authentication method is “Negotiate”)
AD Domain Enter the domain. (Only when the authentication method is “Negotiate”)
  1. Click on [Start Live Monitor] to open the “Windows Services” window.

Start/Stop WMI Services

You can Start/Stop Services by clicking the buttons in the upper right right of the window, or by rightclicking the service.

Note:

The [Start Service] and [Stop Service] buttons are enabled depending on the current status of the service.

Add WMI Monitor

WMI Service monitors can be directly added to a device in a similar way to other monitors.

  1. Click [Start Live Monitor] to open a Live Monitor page.

  1. Click the [Add Monitor(s)] button to add a monitor to the device for the selected Service(s).

WinRM authentication should be configured as usual.

The monitor will be added to the device, and monitoring will begin.

Note:

A monitor can only monitor one service at a time. To monitor multiple services, multiple monitors can be added to the same device. If the selected process has multiple instances, the added monitor will monitor all instances of the process. The instances will be indicated by <process name>, <process name>#1, <process name>#2, etc.

In the example below, the process monitor WmiPrvSE has different instances of the same process with the names WmiPrvSE, WmiPrvSE#1, and WmiPrvSE#2.

As with other monitors, WMI Process monitors can be manually added directly to the device.

The process name to be monitored must be set manually. If the selected process has multiple instances, all instances will be monitored. You can edit the process name of monitors added via the Live Monitor page.