Overview

I'm sure, like many others, you're managing a large infrastructure that utilizes shared resources. This type of configuration offers obvious benefits, such as improved efficiency, centralized management, and more. However, maintaining the balance of these shared resources is crucial. Without proper maintenance, a single incorrect command or configuration can have a significant impact on multiple systems. In this post, I will cover a situation we needed to address around WMI and how it can impact a shared infrastructure.

The Details

As shown in the screenshots below, our shared environment experienced consistently high CPU and disk utilization. While occasional spikes are normal, the constant high usage indicated a misconfiguration. After extensive root cause analysis, we identified the issue as a poorly written WMI query.

"Select * from CIM_DataFile Where Extension = 'pst'"  

You're probably asking yourself, what is wrong with it. The 'CIM_DataFile' class represents any file on any accessible drive, making it both highly useful and potentially hazardous. When queried without constraints, 'CIM_DataFile' enumerates all files, which can result in hundreds of thousands of instances. This process can be very time-consuming and may even fail due to insufficient resources. 

Depending on available resources, this process could be either quick or lengthy. While not a major concern for individual systems, in a shared resource environment where multiple systems contend for resources, this contributed to our high CPU and disk utilization.

So, how does Tanium fit into the picture? This WMI query forms a component of a Tanium Deploy package situated within the installation verification section. Tanium's installation verification excludes restricted OS checks. Consequently, this query remains active during the applicability scan, assessing ALL packages, and executes across all endpoints, regardless of the operating system restrictions set within the software package.

After removal of the Deploy package, as illustrated in the screenshots provided, our CPU and disk usage reverted to normal, putting our infrastructure in a normal operating state. From now on, our teams will be taking proactive steps to prevent prolonged queries by measuring the WMI queries before implementation.





Useful Links
Kudos

A considerable amount of troubleshooting effort was invested in identifying the root cause, and it's only right to acknowledge those involved. A special thank you goes out to the following individuals: