splunk-wmi.exe and splunk-regmon.exe are instantiated by default by inputs.conf located in %SPLUNK_HOME%\etc\apps\search\default.

You can see this by running the following command: C:\Program Files\Splunk\bin>splunk list exec $SPLUNK_HOME\bin\scripts\splunk-admon.py $SPLUNK_HOME\bin\scripts\splunk-regmon.py $SPLUNK_HOME\bin\scripts\splunk-wmi.py

If you are sure that you will not be collecting events via wmi or monitor registry, then you can disable them. There are a few ways to disable:

1. via CLI: a. cd \Progra~1\splunk\bin b. run the following command: splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-wmi.py" -auth admin:changeme

splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-regmon.py" -auth admin:changeme

If this does not work, try the following:

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-wmi.py/disable" -method POST -auth admin:changeme

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-regmon.py/disable" -method POST -auth admin:changeme

The above command should set in etc\search\local\inputs.conf: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

1. directly in the inputs.conf: The most simplest form is to create manually inputs.conf in etc\search\local and enter the following and save it: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

Upon Splunk restart, you should not see splunk-regmon.exe and splunk-wmi.exe tasks running in the task manager.

1. Deploying inputs.conf with above configuration to deployment client: When deploying via this method, make sure you copy the whole search app directory to $SPLUNK_HOME/etc/deployment-apps (default) and add the above inputs.conf in local directory and have it propagated.