wmiprvse.exe

WmiPrvSE.exe (WMI Provider Host) hosts the providers, the DLLs that actually answer WMI queries and carry out WMI actions, in a separate process from the WMI service (Winmgmt, which lives inside svchost.exe). Isolating providers this way keeps a faulty or slow one from taking down the shared service. The genuine binary lives at C:\Windows\System32\wbem\WmiPrvSE.exe (note the wbem subfolder). It is started by the DCOM and WMI infrastructure, so its parent is normally an svchost.exe, and it runs under NETWORK SERVICE, LOCAL SERVICE, or SYSTEM depending on the provider it is hosting.

Several instances can run at once, grouped by the account a provider needs. They start when WMI activity begins and stop after a period of inactivity. WmiPrvSE carries out the work of providers itself, so on its own it has no reason to start other programs.

One behaviour is central to reading it. When something uses WMI to create a process, locally with wmic process call create or remotely over the network, the new process is launched by WmiPrvSE.exe rather than by the program that issued the request. A process created through WMI therefore appears as a child of WmiPrvSE.

Because WMI-created processes are parented by WmiPrvSE.exe, a WmiPrvSE spawning cmd.exe or powershell.exe is a classic sign of WMI-based execution and lateral movement (T1047). Remote tooling such as wmic /node:, Invoke-WmiMethod, and Impacket's wmiexec all land the same way: the payload runs as a child of WmiPrvSE on the target, not as a child of whatever reached in over the network. The parent-child link is the detection, and the spawned command line carries the intent.

WmiPrvSE is also where stealthy WMI persistence surfaces (T1546.003). An attacker registers a permanent event consumer, a CommandLineEventConsumer for example, bound to a trigger like system uptime or logon, and when it fires the consumer's command runs under the WMI host. The subscription lives in the WMI repository rather than in any autostart location, so it survives reboots and evades the usual persistence checks. Watch for WmiPrvSE launching a program that no administrative or scheduled WMI activity accounts for.

As an always-present service process, WmiPrvSE is also injected into so malicious code can run under a trusted, signed host (T1055). There, watch for unusual loaded modules or network activity from a WmiPrvSE that is not spawning anything.