WMI - how exactly does it work? what is creating the WmiApSrv.exe service and how does it dispatch messages?

Question

I have been wondering recently about how exactly WMI is working internally on windows systems. I like to get specific with examples and understand them step by step deeply: Lets take the relatively simple scenario where i am running tasklist.exe. I know tasklist is using WMI to query the tasks running on the local machine, so this is an executable whose all purpose is to WMI query basically.

After i first run it, a new service is started: a service called WmiApSrv.exe, which is a child process of svchost.exe -k DcomLaunch.

Now i wish to know, what exactly tasklist.exe is doing which causes a new service to start - mostly when the WMI service (under services.msc) has a startup type of Manual and not automatic.. what is causing it to start, when and how? what is the connection to that specific svchost.exe -k DcomLauncher process?

I tried to reverse engineer the RPC calls (NdrClientCall2), but i couldnt figure out which RPC's call GUID is the relevant one out of dozens of them, and where it connects to. Something that have helped me before was RpcView (http://www.rpcview.org/) but it is not working on my Windows 10 machine for some reason (nor on my Win7 or XP virtual machines).. Any alternatives are highly appreciated!

Answer 1

this is done using lpc, you can take a look inside using microsoft's message analyzer attaching to the Microsoft-Windows-RPC endpoint where rpc events are logged. tasklist.exe calls a client stub function to the wmi interface uuid, the rpc call is directed to svchost.exe -k DcomLaunch, which in turn will open WmiApSrv.exe.

this requires a more thorough look than what i did, but i think this should get you on track to finding your answers.