Endpoint protection causing 100% cpu every hour

Since August 4th I've been having problem with some of my Windows 7 vms (and 1 or 2 Windows 2008 R2 vms). There may be other OSes too, but I've only found mostly win 7 machines so far. Seems to affect newly created VMs and recently I found a couple of VMs that are almost a year old with the problem. Seems totally random and I can't determine which machines might be affected, and which ones won't

About every hour, for an hour, the CPU goes to 100% with svchost.exe using all the cycles. As far as I can tell it seems related to the Endpoint Protection client. I don't control the SCCM/Endppint protection stuff but I've been working with the people who do but don't have a reliable solution. We've tried deleting the C:\SoftwareDistrubution folder, they have tried to "push the client" to a few of the affected VMs but it only seems to have worked on 2 of the 3 we tested with. I've updated the endpoint client, we've tried some wmi hotfix and I already has some windows update for fixing long scans/errors with low memory and windows update (I forget the patch number at the moment). The people who manage this tell me they have cleaned up old patches/expired updates on the server but that isn't helping either.

If I disable the Windows update service, everything is fine but domain policies revert that change a few hours later. The machines in question do NOT have any windows updates pushed to them via SCCM.

This is what I see in the C:\WindowsUpdate.log. I've even noticed I only get AV definition updates every 2-5 days on these problem vms, I don't know why it doesn't find the newer defs on a daily basis. I can provide ccm logs from the machine but there are so many, I don't know which ones would be needed.

These are all test vms so we have windows update set to never check for updates but it still hooks into the SCCM stuff after installing the ccmsetup/scep stuff.


Has anyone seen this before or know where/what to look for to find a permanent fix to the problem?

2015-09-02          10:49:15:598       5944       1040       Misc       ===========  Logging initialized (build: 7.6.7601.18847, tz: -0400)  ===========

2015-09-02          10:49:15:598       5944       1040       Misc         = Process: c:\Program Files\Microsoft Security Client\MpCmdRun.exe

2015-09-02          10:49:15:598       5944       1040       Misc         = Module: C:\Windows\system32\wuapi.dll

2015-09-02          10:49:15:598       5944       1040       COMAPI               -------------

2015-09-02          10:49:15:598       5944       1040       COMAPI               -- START --  COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]

2015-09-02          10:49:15:598       5944       1040       COMAPI               ---------

2015-09-02          10:49:15:614       5944       1040       COMAPI               <<-- SUBMITTED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]

2015-09-02          10:49:15:614       2804       14b4      Agent    *************

2015-09-02          10:49:15:614       2804       14b4      Agent    ** START **  Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]

2015-09-02          10:49:15:614       2804       14b4      Agent    *********

2015-09-02          10:49:15:614       2804       14b4      Agent      * Online = Yes; Ignore download priority = No

2015-09-02          10:49:15:614       2804       14b4      Agent      * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'a38c835c-2950-4e87-86cc-6911a52c34a3' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"

2015-09-02          10:49:15:614       2804       14b4      Agent      * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed

2015-09-02          10:49:15:614       2804       14b4      Agent      * Search Scope = {Machine}

2015-09-02          10:49:15:692       2804       14b4      PT           WARNING: Cached cookie has expired or new PID is available

2015-09-02          10:49:15:692       2804       14b4      PT           Initializing simple targeting cookie, clientId = 887996fe-f6c6-4835-ac4c-d42de26235a7, target group = , DNS name = vm1315.mycompany.com

2015-09-02          10:49:15:692       2804       14b4      PT             Server URL = http://MYCOMPANY.COM:8530/SimpleAuthWebService/SimpleAuth.asmx

2015-09-02          10:49:19:061       2804       14b4      PT           +++++++++++  PT: Starting category scan  +++++++++++

2015-09-02          10:49:19:061       2804       14b4      PT             + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://MYCOMPANY.COM:8530/ClientWebService/client.asmx

2015-09-02          11:38:47:693       2804       14b4      PT           +++++++++++  PT: Synchronizing server updates  +++++++++++

2015-09-02          11:38:47:693       2804       14b4      PT             + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://MYCOMPANY.COM:8530/ClientWebService/client.asmx

2015-09-02          11:38:47:802       2804       14b4      PT           WARNING: Cached cookie has expired or new PID is available

2015-09-02          11:38:47:802       2804       14b4      PT           Initializing simple targeting cookie, clientId = 887996fe-f6c6-4835-ac4c-d42de26235a7, target group = , DNS name = vm1315.mycompany.com

2015-09-02          11:38:47:802       2804       14b4      PT             Server URL = http://MYCOMPANY.COM:8530/SimpleAuthWebService/SimpleAuth.asmx

2015-09-02          11:38:51:156       2804       14b4      Agent      * Found 0 updates and 4 categories in search; evaluated appl. rules of 4414 out of 9514 deployed entities

2015-09-02          11:38:51:156       2804       14b4      Agent    *********

2015-09-02          11:38:51:156       2804       14b4      Agent    **  END  **  Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]

2015-09-02          11:38:51:156       2804       14b4      Agent    *************

2015-09-02          11:38:51:156       5944       35c         COMAPI               >>--  RESUMED  -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]

2015-09-02          11:38:51:156       5944       35c         COMAPI                 - Updates found = 0

2015-09-02          11:38:51:156       5944       35c         COMAPI               ---------

2015-09-02          11:38:51:156       5944       35c         COMAPI               --  END  --  COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]

2015-09-02          11:38:51:156       5944       35c         COMAPI               -------------

2015-09-02          11:38:56:164       2804       14b4      Report  REPORT EVENT: {D373C3A0-28DC-4B53-B951-DCB8279E8296}                2015-09-02 11:38:51:156-0400     1              147         101         {00000000-0000-0000-0000-000000000000}           0              0                System Center Endpoint Protecti              Success                Software Synchronization            Windows Update Client successfully detected 0 updates.


  • Edited by Paul77MTL 13 hours 42 minutes ago
September 2nd, 2015 12:44pm

Hi,

Do you have this installed?

https://support.microsoft.com/en-us/kb/3050265

Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2015 12:54pm

Some machines have it, some don't but it doesn't help either way. Most of the VMs with problems are newer ones and they all have this update.

September 2nd, 2015 2:08pm

Hi,

You need to do a trace via Procmon and generate a support log file (MpCmdRun.exe -getfile) to analyze the cause.

Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2015 1:51am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics