ParseWmiEvents

# this script reads out the WMI Trace Eventlog
# it will parse the event text to extract the WMI queries using a RegEx expression (tested on English OS)
# then it will run those queries and measure how long it takes to execute them
# this should help in troubleshooting high wmi cpu usage
#
# line below is an easy way to view the results:
# $events | Out-GridView

$wmiLogName = 'Microsoft-Windows-WMI-Activity/Trace'
$rawEvents = Get-WinEvent -FilterHashTable @{logname=$wmiLogName; id=11} -Oldest
$events = @()
ForEach ($rawEvent in $rawEvents)
{
	if ($rawEvent.Message.Contains("ExecQuery "))
	{
		
		$matches = [RegEx]::Match($rawEvent.Message, '-\s(?<Namespace>([^\s]+))\s:\s(?<Query>[^\;]+).*ClientProcessId\s=\s(?<PID>[^\;]+)');
		$event = New-Object PSObject
		$items = $rawEvent.Message.Split(";")
		Add-Member -InputObject $event -MemberType NoteProperty -Name PID -Value $matches.Groups["PID"].Value.Trim()
		$process = Get-Process -Id $event.PID -ErrorAction:SilentlyContinue
		if ($process -eq $null)
		{
			Add-Member -InputObject $event -MemberType NoteProperty -Name "Process" -Value "<unknown>"
		}
		else
		{
			Add-Member -InputObject $event -MemberType NoteProperty -Name "Process" -Value $process.Name
		}
		
		Add-Member -InputObject $event -MemberType NoteProperty -Name 'Namespace'  -Value $matches.Groups["Namespace"].Value.Trim()
		Add-Member -InputObject $event -MemberType NoteProperty -Name 'Query' -Value $matches.Groups["Query"].Value.Trim()
		$event.Query
		$result = Measure-Command { Get-WmiObject -Namespace $event.Namespace -Query $event.Query }
		Add-Member -InputObject $event -MemberType NoteProperty -Name 'TotalMilliSeconds' -Value $result.TotalMilliseconds
		
		$events += $event
	}
}