ekrn.exe randombly jumps to 100% CPU Usage and stays there until killed

Discussion in 'ESET Smart Security v3 Beta Forum' started by jackm, Sep 29, 2007.

Thread Status:
Not open for further replies.
  1. jackm

    jackm Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    22
    As topic.

    Runtime packers and advanced heuristics disabled in real time protection.
     
  2. freesurfer

    freesurfer Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    57
    Just want clear things up:
    - when you say randomly, do you mean truly random, such as when doing absolutely nothing? or, say, just only when you open a folder, sometimes you encounter the problem, sometimes not?
    - "Runtime packers and advanced heuristics disabled in real time protection", do you mean the settings for the newly created and modified files or the one in the ThreatSense engine parameter setup (I'm assuming you're using NOD32 Antivirus RC1)?

    Regards
     
  3. gH0StrId3R

    gH0StrId3R Registered Member

    Joined:
    Sep 3, 2007
    Posts:
    30
    same thing happens to me...happens at boot quite often...im using ESS RC1..

    i just kill it and the new ekrn.exe doesnt consume too much
     
  4. OMEGA_RAZER

    OMEGA_RAZER Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    94
    Location:
    24.24.2.2147
    Happens to me every so often, Using ESS on XP SP3, After ending the ekrn process (after logging in from computer boot) it restarts before I can even tell it quit and then explorer and everything else shows up right away. This is actually a bit worse than the beta 2 problem with it hanging on startup cause it would sort itself out after a while... this didn't after 5 hours :p
     
  5. ldupuy

    ldupuy Registered Member

    Joined:
    Jun 7, 2005
    Posts:
    15
    Location:
    SD
    I've had the same thing; so much so that I had uninstalled ESS and went back to NOD32, which didn't last very long. I unstalled it after it was updated and reinstalled ESS RC1. I love this program! Can't wait till it comes out of beta! I'm sure it will be awesome!

    Along those same lines, is there any info with instructions as to how to set the default settings when scanning and also setting up. TIA for the help!

    Lyla
     
  6. jackm

    jackm Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    22
    Sorry for the lack of information, I was a bit rushed (hence randombly :D).

    It seems random but I think it only happens when I'm using the PC, and the only reason I notice it is because my system is bogged down. It may be caused by doing something specific, but I have no idea what.

    Also runtime packers and advanced heuristics are disabled in the "ThreastSense engine parameter setup" page of the "Real-time file system protection" section and are enabled in the "Additional ThreatSense parameters for newly created and modified files" box in the "Real-time file system protection" section. I don't see why this should matter though, even if ESS is scanning with runtime packers and advanced heuristics enabled CPU shouldn't stay at 100% for hours unless something is actually broken.

    Using ESS RC1 on XP SP3 (beta)
     
  7. freesurfer

    freesurfer Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    57
    Vague aren't we (cheers :D ). Regardless, having ruled-out the usual suspect, we'll have to do it the old-fashion way: uncheck each of the options in the ThreatSense engine parameter setup -> Options, starting from the bottom. Uncheck one and click OK / close the setup window and see if there is an improvement. Whether there is an improvement or not, please post back.

    Also, after your machine boots-up and you log in, without doing anything (except opening task manager / process explorer), check whether ekrn is still hogging the CPU or not. If not, keep task manager / process explorer open, and do something (or your usual thing ;) ). The first sign ekrn hogs the CPU and doesn't seem to ease up, post what it was you did for it to happen.

    Regards
     
  8. OMEGA_RAZER

    OMEGA_RAZER Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    94
    Location:
    24.24.2.2147
    I might have fixed this myself by accident (for me anyway) I updated my video card drivers (Forceware 162.18 to 163.71) and with the last two restarts it's worked perfectly fine and no stalling at all :doubt:
     
  9. jackm

    jackm Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    22
    Okay I just experienced another spike (first time in 2 or 3 days I think) just minutes ago and had a look in process explorer.

    I'm not sure exactly what to look for but the threads section for ekrn.exe's properties caught my eye. A thread with a start address of kernel32.dll!CreateThread+0x22 is using all the CPU and has a CSwitch Delta of around 700 (not sure what that means, but everything else is high teens or 0).

    Hope that was a bit more specific :D

    I'll try the suggestions in your post and see if I can't provide a bit more info next time.

    Cheers.
     
  10. freesurfer

    freesurfer Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    57
    wokeeeyyy.... the kind of detail I was looking for was what were you doing at that time; the info from the process explorer would probably be helpful to ESET staff/developers, though. I'm still banking on the Advanced heuristics (and other such settings) in the ThreatSense parameter setup under the Real-time file system protection.

    Here are some things you should keep in mind when you encounter the problem:
    - Where you opening a folder, either thru explorer or a program? Folders that contain a number of executables and/or compressed files tend to keep ekrn busy, especially when you set the real-time protection to paranoid ..err.. maximum.
    - Are you running an application? If so, what where you doing with the program (ie, saving/opening a file, viewing online help, etc.).
    - If your doing "nothing", with no running programs, check your memory-resident programs, such as those with icons appearing at the right of the taskbar besides the clock. Also check for running programs that have no interface/GUI, such as the windows update.

    I'm sure there are a lot more, but I'm sleepy :oops: so I hope you get what I mean: try to remember what you (or computer) are doing. Chances are that it is not the AV's fault (except for not yet being optimized ...I think) and only reacting to an event.

    Regards.
     
  11. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    The same thing happens to me, only it happens really random, I don't know what causes it but it happens. My settings are all default so It's not that I've changed something that could be causing this.
    I kill the service and when it starts back up everything runs fine.
     
  12. Clweb

    Clweb Registered Member

    Joined:
    Dec 28, 2002
    Posts:
    127
    Location:
    France
    I noticed it today. Under Vista 32 bit. It happened after boot and update.
    Disabling all security functions did not help. Killing the process: it restarted automatically: diabled functions were enabled again (exception was the antispam module remaining disabled).
    And the CPU usage is gone.
    I'll wait for the next occurence.
     
  13. Meister

    Meister Registered Member

    Joined:
    Apr 8, 2007
    Posts:
    32
    Try disabling Scan On: File Open

    When I have that checked, opening the advanced setup menu (for example) causes 100% CPU and also on other ocasions. Unchecked, all good. I have it disabled for the time being because I know my system is 100% clean.

    Also, try placing your GUI in standard mode instead of advanced.

    I'm using XP SP2 with all updates.
     
  14. Clweb

    Clweb Registered Member

    Joined:
    Dec 28, 2002
    Posts:
    127
    Location:
    France
    I have changed nothing and today there was no problem.
     
  15. jackm

    jackm Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    22
    Oh, I actually have no interest in fixing this, if it becomes too annoying I will just uninstall it. My only interest is in diagnosing this problem as much as is convenient for me for the purposes of informing the ESS developers. But thanks for your interest :)

    On your point of it "not [being] the AV's fault ... [and the AV] only reacting to an event"; to me if this is the case then I would say that there is actually a problem with the AV as I'm not doing anything out of the ordinary and my AV shouldn't need working around at all.

    Cheers.
     
  16. andy2008

    andy2008 Registered Member

    Joined:
    Sep 21, 2007
    Posts:
    33
  17. eXPeri3nc3

    eXPeri3nc3 Registered Member

    Joined:
    Oct 13, 2007
    Posts:
    1
    I'm using ESS RC1 on WinXPSP2 fully updated.

    Having the same problem, with an additional error from drwatson.

    Any help?
     
  18. JeremyWW

    JeremyWW Registered Member

    Joined:
    Apr 13, 2005
    Posts:
    237
    Had this myself today on one of two machines. XP Pro/SP2, wireless network. Only occurred the once this morning, fine since...
     
  19. eisefr

    eisefr Registered Member

    Joined:
    Nov 23, 2004
    Posts:
    153
    Location:
    Germany
    It happens here too. And even quiet often.
    The process ekrn cannot be killed here either. Not even with ps-tools.

    Hope this will be fixed soon. :rolleyes:
     
  20. GaryRW

    GaryRW Registered Member

    Joined:
    May 14, 2005
    Posts:
    141
    Location:
    OH, USA
    I just installed ESS on an XP SP2 yesterday and it is working well, unlike my Win2K test drone. I can force high CPU usage on ekrn and egui by simply enabling Protection Status => Personal Firewall which displays network connections. It's not constant but fluctuates. Also spikes alternate between ekrn and egui. I don't have to kill anything, just select another screen and CPU drops back to normal low.
     
    Last edited: Oct 18, 2007
  21. jackm

    jackm Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    22
    With regard to the behavior I refer to in my posts (not the same as GaryRW) it still occurs frequently and will even occur prior to logging in just following a fresh boot (I know this because the login screen is sluggish).

    Here is a the stack for the offending thread:
    Code:
    ntoskrnl.exe!KiDispatchInterrupt+0x7f
    ntoskrnl.exe!NtDeleteAtom+0x665
    ntdll.dll!KiFastSystemCallRet
    ekrnAmon.dll+0x35e3
    kernel32.dll!GetModuleFileNameA+0x1b4
    
     
Thread Status:
Not open for further replies.