Anyone Experiencing High CPU Usage with ESS?

Discussion in 'ESET Smart Security' started by rahx, Nov 29, 2007.

Thread Status:
Not open for further replies.
  1. rahx

    rahx Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    22
    I've read about this issue somewhere before but never paid attention as I hadn't had any problem myself.

    Well, guess it's my turn now...


    Lately I've been noticing ESS's kernel module (ekrn.exe) taking over 50% of CPU cycles on my computer.

    My setup is nothing special:
    Vista Business 32-bit + AVG Anti-Spyware + System Safety Monitor.

    While the problem occurred, I was simply watching some movies on my projector (configured as a secondary monitor). I think it started yesterday (or at least that's when I first noticed) but didn't think much of it. About an hour ago it got so much worse that the video just kept skipping.
    This combo has been working well for me for a while now, and I'm really at lost as to where it could go wrong.

    Has anyone else noticed this kind of behavior? And how can I get rid of it?

    Any help is appreciated.
     
    Last edited: Nov 29, 2007
  2. Remigius

    Remigius Registered Member

    Joined:
    Sep 29, 2007
    Posts:
    10
    Same problem for me using XP-Home-SP2.

    The high CPU-usage is not occuring everytime I startup but only occasionally.
    The times it happens, applications are too slow to use in a normal way. for instance outlook express and internet explorer.

    Normally rebooten helps. Don't know how to solve it o_O

    Greetz Remco
     
  3. mickael9

    mickael9 Registered Member

    Joined:
    Nov 29, 2007
    Posts:
    1
    I noticed you can kill ekrn.exe with the task manager and it restarts itself (with normal CPU usage)
    I had Kaspersky installed (but disabled), perhaps a conflict with it.
     
  4. Sonar

    Sonar Registered Member

    Joined:
    Nov 14, 2007
    Posts:
    3
    Location:
    Nottingham (England)
    563 version was fine.

    566 installed -> then the high cpu / slow boot / slow web pages / slow outlook....


    its either 2.7 or kapcrap :(

    ~Edit~
    xp pro sp2
     
  5. tonyblair

    tonyblair Registered Member

    Joined:
    Nov 29, 2007
    Posts:
    8
    I'm seeing this intermitantly too. For absolutely no reason I can see, Ekrn.exe suddenly spikes to 50% CPU usage on both cores (Core2 Duo) and stays there until I reboot. I can't kill the process because it's running as a service under Vista x64 o_O

    I've only noticed it happening since I updated to 3.0.566.0. And from what I remember, I updated because the last build borked images on websites.

    I purchased multiple licenses too, so not best pleased at the moment :ouch:
     
  6. crummock

    crummock Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    198
    Started seeing this problem this week on two 32bit systems but not on my 64bit system (yet).
     
  7. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    I also have this problem, which I only noticed today.

    Using 566 here too, everything was fine one moment and then all of a sudden the computer's processor fan went crazy, which is how I became aware of this situation. I then quickly ran Process Explorer and saw ekrn.exe using up to 98%. I then killed it as I was very concerned for my processor which never normally runs this high with any other program.

    Then to my amazement, it restarted itself with no usage shown at all. It then continued to work fine with all protection modules operating correctly.

    I am not sure why this happened, maybe something in the update scheduler decided to kick in and then it got hung at this high level.

    Not too happy with having to kill it like this, but guess it must be a bug that needs to be sorted out by the ESET programmers. Hopefully this will be addressed in the next program update.

    In the meantime... will keep Processor Explorer ready to fire up as a work around.

    Other than this ESS for me is working perfectly and I am very happy with it.
     
  8. rahx

    rahx Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    22
    Hmmm... Now I've got my system up for almost a day and half without ekrn.exe hogging up the CPU.

    Very strange... hope there is an explanation for that.
     
  9. tonyblair

    tonyblair Registered Member

    Joined:
    Nov 29, 2007
    Posts:
    8
    According to this thread: https://www.wilderssecurity.com/showthread.php?t=187833 it happens "every other boot", so rebooting after it happened means it won't happen again until you reboot.

    I've no idea if this is the case. It does go some way to offering a possible explanation of why I see this behaviour so intermitantly: yesterday I did quite a lot of reboots and suffered the CPU spike quite a few times. Usually however, my PC is on pretty much 24/7.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    If you experience the problem with high CPU utilization by ekrn.exe and it doesn't happen when copying files, please send me a private message. We'll need to get a full memory dump for perusal.
     
  11. rahx

    rahx Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    22
    Hi Marcos,

    How can I get a full mem dump off of my system? It's really hard to tell when it happens. Two nights ago it was going crazy like there's no tomorrow but now it's as normal as it can ever be...
     
  12. rahx

    rahx Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    22
    Now that I noticed, Outlook does run much smoother and faster with ESS uninstalled.

    Hmmm...
     
  13. freesurfer

    freesurfer Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    57
    To those already using Process Explorer and those that don't mind using it, try viewing the handles used by ekrn.exe. To do this, make sure that the lower pane is visible and the view is set to handles. When ekrn.exe starts to consume CPU, this view would allow you to see whether there one or more files being opened/scanned continuously.

    I had once experienced high CPU usage by ekrn.exe even though my system seemed "idle". When I checked the handles view of ekrn.exe, it showed that a log file was continuous being opened (supposedly scanned) and closed by ekrn.exe several times a second. Unfortunately, I couldn't recall the program using the log file, but I set it to be excluded from scanning. Ekrn.exe's high use of CPU immediately dropped to zero.

    Chances are, you have one or more programs (including part of Windows) that's continuously updating a file(s), thus tripping ekrn.exe to also continuously scan the file(s), resulting in high CPU usage.

    Regards.
     
  14. linknayr

    linknayr Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    2
    Have had high CPU usage on and off for some time with fast fans becoming a nuisance and applications slowing. Was running Comodo firewall and since turning it off recently have had no more occurence of problem. Any connection or just coincidence? Any particular firewall recommended to uses with NOD 32?
     
  15. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    I have now confirmed the cause of this problem on my system and it turned out to be the auto update all along... which I mentioned in my previous post.

    Since I disabled the Regular Automatic Update in the Scheduler section of the Tools menu, I have not had any further instances of high CPU.

    The only drawback to this is I don't get the regular update check every hour, but to be honest this has not caused me any problem because as I use a dial-up connection, my update is always performed with every connection to the net that takes place providing an hour has lapsed since the previous one... which is virtually always the case, and in fact can often be as often as 3 or 4 times in any given day so my update version is always found to be current.

    I find it interesting that ESET have not fixed this bug after so many people have reported it in various posts in this and other threads in recent times. It is quite possible that there are other causes to the same CPU issue, but certainly in my case I have now got a 100% working ESS which I am very happy with at the moment, but it was so annoying having my processor fan run up to maximum all the time before that made ESS a bad product for me then. So I'm sure if ESET looked into this regular update issue they would surely find at least one cause of this problem.

    Hope this helps other users if it turns out to be caused by the same issue.
     
  16. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    Maybe it's something about updating over a dial up connection. With my cable connection I never notice the update til the little pop up notification says it has been updated. Also I've never noticed high cpu usage unless I'm scanning.
     
    Last edited: Feb 3, 2008
  17. v35_pilot

    v35_pilot Registered Member

    Joined:
    Feb 4, 2008
    Posts:
    7
    Total newb to this board but my searching on this exact problem led me here, so I thought I would add to this thread - flamesuit donned.

    Essentials: Windows XP with all the updates, Comodo 3.x, ESET NOD32 3.0.621. Verizon FIOS 20 mbps down/5 up.

    Quick background: I had not been running AV for last year due to using GMail as my email and practicing safe computing. This was a result of getting very frustrated with buggy suite products over the years, and jumped from McAfee (mid 90s), NAV (late 1990s), and finally ZoneAlarm Suite (2000s until last year).

    Decided to get back into AV. My two considerations were low resource footprint and comprehensive scanning. Based on glowing web-wide recommendations NOD32 seemed to fit these requirements.

    That is, until I jumped in feet first and purchased a two-year, two PC license to ESET NOD32 (just the AV) a few weeks ago.

    In both my laptop install and my home desktop I am experiencing this problem as the OP has described. EKRN.EXE is spiking CPU to 100% on many activities, such as launching a text editor called UltraEdit, closing UltraEdit, downloading a file from a website, etc. My home computer is only a single core P4 3.2 GHz so understandably all processing and interaction with the computer comes to a crawl as EKRN is doing its thing.

    AVs should not be this intrusive, IMO, but I hold out hope that this is a bug rather than SOP.

    Oh, also worth noting that both the laptop and desktop are fresh installs of Windows XP. Reinstalled WinXP, updated all, ensured all the drivers were the latest, then started adding on apps and utilities such as NOD32.
     
  18. techcafe

    techcafe Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    13
    the problem with ekrn.exe hogging the cpu occurs (on my system) when the 'Runtime packers' option is enabled (box checked) in the 'Real-time file system protection' of the ThreatSense engine setup.

    workaround: uncheck the 'Runtime packers' option of the Real-time file system protection (press the Setup button on the Real-time file system protection area).

    note: the Runtime packers option appears in no less than 3 places, which is confusing as hell. leave the runtime packers option enabled (checked) for the 'automatic startup file check' and 'additional threatsense parameters for newly created and modified files', and then disable the runtime packers option ONLY in the ThreatSense engine parameter setup (Setup button) of the Real-time file system protection. yeah, confusing, i know.

    however, ekrn.exe will still spike the cpu when 'runtime packed' files are copied/moved b/w folders/volumes, which is retarded, because i don't see why an MD5 checksum can't be generated (of an already scanned/clean runtime packed file), so that if/when the SAME file is copied/moved in the future, it can safely be ignored by ekrn.exe (assuming the checksum hasn't changed), thus preventing ekrn.exe from hogging the cpu as it re-scans the SAME file(s), while the actual file operation, copy/move, also takes forever!

    personal note: the reason i switched to ESET in the first place was because of all the hoopla about it being fast (written in assembler), having a low memory footprint (true) and minimal overhead/impact on system resources, but i'm becoming disillusioned by all the hype. it's not what it once was, imo.

    and what's up with ESS' personal firewall... interactive mode is a mess, at least on my system, after manually configuring some applications in the rules editor, the ESS GUI (egui.exe) starts crashing. ESS needs some serious bug fixes.
     
  19. v35_pilot

    v35_pilot Registered Member

    Joined:
    Feb 4, 2008
    Posts:
    7
    techcafe, thanks for the tips. I looked over my setup for NOD32 and the 'Runtime packers' option was disabled, so in my case that was not the cause.

    In my case opening the text editor, Ultraedit32, still exhibited its newly acquired poor performance problem. There was a five second delay opening and a five second delay in closing the editor tool, both attributable to EKRN.exe. With NOD32 totally disabled the editor opened and closed immediately.

    Using Process Monitor from Sysinternals to see what was happening, I learned that the editor would read its INI file at opening and closing and that EKRN was being invoked to scan this one INI file at both events.

    With EKRN scanning this ONE file the CPU would spike to 100% about 3-5 seconds, which ultimately caused the editor's sluggish response. This kind of overhead seems to me to be totally unnecessary.

    AFAIK (correct me if I am wrong), INI files are not a high or even medium risk of containing nefarious actions so I removed the INI file extension from both setup lists of file types listed in NOD32 to scan. This corrected the editor's sluggish behavior.

    This past week I opened a case with ESET and was asked by the responding individual to uninstall and reinstall NOD32 after downloading the latest version from their site. For giggles I did this but was confident it would not resolve the problem. It didn't.
     
  20. techcafe

    techcafe Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    13
    alternatively, you could add Ultraedit's INI file (or its path) to NOD32's real-time exclusion list (see attached image). as to why .ini files (non-executables) are scanned in the first place, i'm with you on that one... why bother?

     

    Attached Files:

    Last edited: Feb 8, 2008
  21. v35_pilot

    v35_pilot Registered Member

    Joined:
    Feb 4, 2008
    Posts:
    7
    Yep, that worked. It seems that I am going to become very familiar with the exclusion list. :)
     
  22. Hans Nieuwenhuis

    Hans Nieuwenhuis Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    8
    In my situation I can easily reproduce the high CPU of ekrn.exe. If I open one of the logfiles made by Eset Smart Security, the CPU usage of ekrn.exe jumps to 50%. It drops to 0% once this logfile has been opened. Because it's a very big logfile (61 thousand lines, 15 MByte) it takes about 3 minutes to open it. NB: this only happens if I open such a logfile in Eset Smart Security itself. If I open the logfile in UltraEdit, it is opened in a few seconds. (I don't have any problems with UltraEdit opening / closing slowly because of Smart Security by the way.)

    this resembles what's written in one of the above messages:

    "I had once experienced high CPU usage by ekrn.exe even though my system seemed "idle". When I checked the handles view of ekrn.exe, it showed that a log file was continuous being opened (supposedly scanned) and closed by ekrn.exe several times a second. Unfortunately, I couldn't recall the program using the log file, but I set it to be excluded from scanning. Ekrn.exe's high use of CPU immediately dropped to zero."

    I would say if I read this message that Eset Smart Security is opening (and maybe also writing) to this logfile.

    Probably related to this: a complete scan of my computer (Windows XP SP2, 2 GByte RAM, 5400 RPM harddisk, about 680 thousand files) takes 1.5 hour. I think it can be a lot faster, because during this scan it makes aforementioned logfile of 61 thousand lines and 15 MByte.....see another post of mine.
     
  23. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    For the last few weeks, winamp has become very slow to start up and shut down. During this time ekrn.exe usage sits at 90% or more for about 10 seconds.

    As winamp has a web interface, placing it on the exclusion list would probably be a bad idea.

    Anyone else noticed a similar problem?
    It is not entirely consistent for me, so would be useful to know if others have noticed the delay.

    BTW
    This happens on Windows XP professional and Windows 2000 pro machines for me. I have a reasonably large collection of media files, which maybe exacerbation the problem.

    Edit
    Deleted the media database and still opens/closes slowly (with high ekrn.exe load), so not sure what is really happening.
     
    Last edited: Feb 15, 2008
  24. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    Sorry Patch Buddy. Winamp opens and closes quickly for me. The CPU shows 30's and 40's for 4 or 5 seconds with 1 very quick spike to 100%. Then while it is playing a song it sits at 2%.

    I'm using XP Professional x64 Edition and I have an 11 GB song library. I'm using Winamp version 5.35.

    Have you ever tried System File Checker? Ask Leo - SFC

    Every once in a while My system starts acting a little strange. I run SFC and it always asks for my OEM XP disk so I know there is a problem with Windows. After it's done My system always runs sweet again.

    I don't know about Windows 2000 though.

    Edit: It works on 2000 too.
     
    Last edited: Feb 17, 2008
  25. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    Thanks
    Will try.
    I suspect a cache file has grown excessively in winamp as the computer load varies dramatically between the user accounts on my xp machine.

    Edit
    Fixed for now.
    System File Checker made no difference.

    I had a look at winamp local user data.
    In \Documents and Settings\"user"\Application Data\Winamp\Plugins\gen_undo
    there was about 200 files with names like udo4735d93.m3u8
    Deleting all these and start up / shut down went from 30+ seconds (with ekrn.exe 90%) to <5 seconds

    So there is a work around, but I suspect ESET doesn't really want all their customers to need to do this intermittently

    Edit2
    http://forums.winamp.com/showthread.php?s=&threadid=256572&highlight=genundo
    Looks like it is mostly a winamp problem or more specifically a "Playlist Undo (gen_undo) plugin" problem.
     
    Last edited: Feb 15, 2008
Thread Status:
Not open for further replies.