100% CPU Usage

Unfortunately when ekrn takes charge, well, it doesn't let anything else work until after it's done. Maybe a size filter should be added to the scanner?

Also, is there any way to make procmon show processes by ekrn.exe that spend over say 1 second?

 

As long as you can get a log from procmon after ekrn.exe relives from taking charge of the CPU for 3-5 minutes, (IMO) that should be fine.

Because you can run analysis afterwards, but you need to have a log first.

I'm not sure how to make procmon works for 1-second and then quits through.

Cheers.

 

The only thing is that one would have to run procman all the time just in case the computer locks up since when it does, as I have seen myself, nothing is usable keyboard and mouse are dead.

 

I think I understand your concern. But I don't currently have a better idea besides having procmon running in the background all the time.

In case you decided to go ahead, remember to make sure you have enough disk space to hold the logfile. And you may like to enable the option "Drop Filtered Events" so irrelevant events are not logged.

 

The best would be to create a complete memory dump from the moment when the system appears to have frozen by following the instructions here. Creation of complete memory dumps can be enabled as follows:
1. Right-click My Computer, and then click Properties.
2. Click the Advanced tab, and then click the Startup and Recovery button.
3. Click Write Debugging Information, and then click to select either Complete Memory Dump, Kernel Memory Dump, or Small Memory Dump.

The computer will need to be restarted in order for you to be able to generate complete memory dumps manually.

 

That article indicates if one is using a USB keyboard, which I am, then one has to apply a Win2003 server patch? To a XP SP3 computer??

 

Well, I'm affraid it won't work. However, there are USB-PS2 converterts, often bundled with mice/keyboards that can be used to plug a USB device to a PS2 port.

 

Would work except in my case I am using a KVM to share keyboard and mouse between 2 computers. Oh well guess I will just have to wait.

 

still at it again........we must can find a solution

 

I have already asked those having problems for assistence, please read my posts above.

 

I had one client with that problem. He was running XPhome SP2, half meg of RAM and he bought 6 site licenses for NOD32. All installs went well but one. That one had the processor usage running 92+% continually.
Looking under the taskmanager, it showed one process dominating the computer and that was svchost.exe. I ended that task and it would work fine. Otherwise it would dominate the computer. He has to shut it off every time he started his computer.
Because he is using XP home, there are not the diag tools to see what program is included in that svchost. If he was running XP pro, it would help.

If anyone knows how to get around having to shut off that svchost every time, please enlighten me.

That is what I found and maybe it will help to answer the original question.

FM

 

Try installing this hotfix for Windows Update: http://support.microsoft.com/kb/927891/

As a result, you could see ekrn.exe utilizing the CPU if the communication from svchost.exe is redirected through it.

 

Almost a year ago I tried the NOD32 v3.0 client and was disappointed with his heavier footprint along with the troubles it brought using the internet. While I still am a loyal NOD32 user I usually suggest to most that downgrading back to the last revision of v2.7 is the wisest choice rather than beat your head trying to make v3.0 work.

If anything my fear is that Eset will eventually discontinue v2.7 and stop updates to that client. If this were to occur, I would unfortunately have to give up NOD32, a truly sad day indeed. Hopefully others in the forum express similar thoughts keeping v2.7 alive, working and well.

 

The coverage V2 provides isn't as good as V3.

 

That may be true, but version 2.7 seems to give less problems than version 3 does so that is why some of us go back to it.

 

Well, for me with one of my Lenovo laptops going mad (Vista 32bit) with 100% CPU I followed the recommendations about C:\Program Files\ThinkPad etc.

But the process analyzer revealed, that the Lenovo Access Connections also seems to permanantly update the following file here:

C:\Users\Public\Documents\AccConnAdvanced.html

After adding this to the exclusion list - the CPU load went down here!!!

Greets

 

Same problem. My PC has enough memory (2GB DDR2 800mhz) and a dual core processeor, but since I upgrade to the 3.x version (about a month ago) the ekrn.exe several times block my PC with a high processor usage I think I will install the good old 2.7. I don"t understand, ESET why can't solve this problem, because it seems this is not a new one...

 

Can you confirm that you haven't altered default settings and didn't enable advanced heuristics or runtime packers in the real-time protection setup? This is a new option in v3 and enabling it might cause ekrn to utilize the cpu more than usual. If you use default settings and the problem with high cpu usage manifests thouhg, try using Process monitor to narrow it down to the particular file causing the problem as Yosh did.

 

I don't know how version 2.7 worked or works, but in my case, the first version of nod32 I installed in my system was 3.0.669.0 and the system was just fine. No 100% CPU usage. When I upgraded to the latest version, the CPU usage went to 100%. I almost broke the damn computer! It was freaking me out. I tried to deactive Eset's active protection, which took a while to be able to do it, but when I succeded doing it, I reactivated it and the CPU usage went to normal. So, I'm guessing that there is something is wrong on that. What? No idea.
If the problem was related to huge files on the system and all that, deactivating and reactivating nod32's activate protection wouldn't solve the problem.
Maybe you guys should try to reproduce this issue in real system environments using alike system configurations as some users have. Just an idea.

Best regards

 

I bought the NOD32, because it's protection with advanced heuristics defense was the best in the market. I don't want to shoot it down, because it means a lower defense capability. I think it is not just a personal problem, because there are a very lot of quote. But it's not problem for me any more, because I install the 2.7 version. It seems the 2.7 is better than the 3.x, like the XP is better than the Vista..

Appologise for my english...

 

If you disable advanced heuristics on access in v3, it will have the same effect as installing v2 which does NOT have this option. Both v2 and v3 use advanced heuristics for newly created or modified files by default. Generally, v3 has better detection than v2 regardless of this setting.

It's like purchasing a new faster car. You may find out that the consumption is higher and because of this you'll decide to continue using your previous car. However, the fuel consumption was higher only because you drove much faster than with your previous car and the consumption at the same average speed would have been actually lower with your new car. No one is forcing you to drive with the new car at the very maximum speed, it's just your decision at the cost of higher fuel consumption.

 

Very nice explanation Hope people understand it better now and hope you somehow hide the option for AH and RTP on-access in the future version . It is obvious people generally don't understand what they are doing but they have heard from marketing materials that NOD32's power is the AH , so when they see it unchecked , they panic and check it without thinking what it might be. They blame the new version for nothing and create themselves problems. Or you must clearly explain the difference and make sure people doublle check "Yes,I agree" button before enabling these options.

 

Why can't ESET admit there is a problem that they can't fix? It is obvious that a lot of people have the problem.

 

Are you having this problem with default settings, ie. advanced heuristics and runtime packers disabled on access?

 

Are those part of NOD's protection?