[ZBX-18859] wmi.get commands cause event 5858 Created: 2021 Jan 11  Updated: 2024 Apr 10  Resolved: 2024 Feb 28

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 5.2.3, 6.0.26rc1, 6.4.11rc1, 7.0.0beta1
Fix Version/s: 6.0.28rc1, 6.4.13rc1, 7.0.0beta2, 7.0 (plan)

Type: Problem report Priority: Major
Reporter: Christian Ullrich Assignee: Mihails Prihodko
Resolution: Fixed Votes: 0
Labels: 2019, 2022, 5858, Windows, event
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 10 19042.685, WIndows Server 2019, Windows Server 2022

Issue Links:
Duplicate
is duplicated by ZBX-22964 WMI Error 0x80041032 caused by Zabbix... Closed
Team: Team B
Sprint: Sprint candidates, S24-W6/7
Story Points: 1

 Description   

This is a regression from ZBX-11621, or at least that fixed bug looks extremely similar to this one. Apparently this error happens if a WMI client does not fully read the result set before closing it.

My current hypothesis is that parse_first_first() should read the result until it gets a WBEM_S_NO_MORE_DATA result rather than returning after reading the first record. The current documentation for IWbemClassObject::Next() does not mention this protocol, but that for [IWbemClassObject::NextMethod() does.

Steps to reproduce:

  1. zabbix_get -s ... -k wmi.get["root\cimv2","Select serialnumber from win32_bios"]
  2. On the target system, open Event Viewer and look at the Microsoft-Windows-WMI-Activity/Operational log.

Result:
There is an error event 5858 with event data similar to this:

Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = ...; User = NT AUTHORITY\SYSTEM; ClientProcessId = 10724; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : select AddressWidth from Win32_Processor; ResultCode = 0x80041032; PossibleCause = Unknown

Expected:
No error events.

 Comments   
Comment by Mihails Prihodko [ 2024 Feb 09 ]

A similar issue ZBX-22964

Comment by Mihails Prihodko [ 2024 Feb 13 ]

Mini spec

This mini spec is based on the input from MVekslers.

Agent 1 on Windows is affected.

The bug should be fixed by looping IEnumWbemClassObject enumerator in parse_first_first() until no values are left in it. Only the first value is needed to be taken out. The others may and should be skipped.

Comment by Mihails Prihodko [ 2024 Feb 15 ]

QA-note

The events can be viewed with Windows Event Viewer:

Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> WMI-Activity -> Operational

For some unknown reason, the issue is reproduced each time on some Windows machines (one event for one query) and not reproduced on other machines each time.

Comment by Mihails Prihodko [ 2024 Feb 28 ]

Available in versions:

Generated at Fri May 02 07:08:59 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.