• State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 32 subscribers
  • Views 713 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Solarwinds Orion randomly stopping W3SVC service

jbeardnc

We've been dealing with a new issue that wanted to share with the community and see if anyone has heard of it or has any insight. We are using Solarwinds Orion for monitoring and we started to notice that about a dozen of our IIS servers (all different OS versions) and the websites that run on them were experiencing a brief outage and in looking at the event logs, we found that the World Wide Web Publishing service was randomly getting stopped. After a lot of troubleshooting, we opened a ticket with Microsoft premier support and they started us out with the IIS team and they had us run debugging tools, procmon, etc and capture the occurrence which happens at all times of the day/night. The IIS team couldn't figure it out so now two weeks later, we've been passed to the WMI team at Microsoft and they had us run a WMI trace on the IIS boxes to capture all WMI activity and we finally identified the root cause. As you can see in red below, a WMI call coming from Solarwinds using the solarwinds_admin account was querying WMI for service information and then it queries the W3SVC service specifically and then for some reason, it issues a StopService command on the W3SVC service.

***** 02:26:26.705 Grp=261404 _ClientProcessId=77320 [] solarwinds_admin

    IWbemServices::Connect

***** 02:26:26.708 Grp=261405 Op=261406 _ClientProcessId=77320 [] solarwinds_admin

    Start IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Service

***** 02:26:26.952 Grp=261405 Op=261408 _ClientProcessId=77320 [] solarwinds_admin

    Start IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_DependentService

***** 02:26:27.119 Grp=261405 Op=261412 _ClientProcessId=77320 [] solarwinds_admin

    Start IWbemServices::ExecQuery - root\CIMV2 : SELECT Name, State FROM Win32_Service WHERE Name = 'W3SVC' OR DisplayName = 'W3SVC'

***** 02:26:27.301 Grp=261405 Op=261414 _ClientProcessId=77320 [] solarwinds_admin

    Start IWbemServices::ExecMethod - root\CIMV2 : Win32_Service.Name="W3SVC"::StopService

We've since excluded these IIS boxes from our Solarwinds monitoring and we're in the very early stages but so far, have not had any more occurrences of this happening but we've had Solarwinds in place for years and we've never seen this happen. Is there anyone out there who has any experience with this? Thanks in advance!

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.