Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

DWHWizrd.exe using excessive memory

Created: 10 Sep 2008 • Updated: 18 Jul 2010 | 26 comments

For the last week on a Windows 2003 Terminal Server with Symantec Endpoint Security 11 MR2 installed the DWHWizrd.exe process has been using a lot of memory, maxing out at 267,072K.

 

I have upgraded the client to Maintenance Patch 2 and tried re-installing but this has had no effect.

Each time the client is re-installed or the Server restarted this DWHWizrd.exe process starts off at memory usage of a few thousand K and slowly builds up until it is using 267,072K.

 

Has anyone else seen or experienced this?

Comments 26 CommentsJump to latest comment

Stephen Whitaker's picture

I'm having the same issue on a laptop of mine.

 

It has the latest Updates SEP MR2. DWHWizrd.exe maxes out around 100 meg of memory. And it slows the laptop to a crawl.

 

I've tried uninstalling it all, and running cleanwipe. Then reinstalled SEP. Didn't help at all. 

 

This laptop pretty much becomes useless.

 

Need a symantec answer to this.

 

 

ozhu's picture

I have the same problem with some of the computers on our network.

1. Sometimes uninstall/reinstall will fix the problem.

2. Sometimes installing only the antivirus/antispyware function will also fix the problem.

3. If that doesn't work, then the only thing i can do is create a script to kill dwhwizrd.exe and put it in scheduled tasks.

I don't know if there's a fix for this problem. but i found step 3 to work quite well. Here's the script i'm using:

 

Option Explicit
Dim objWMIService, objProcess, colProcess
Dim strComputer, strProcessKill, strInput
strProcessKill = "'dwhwizrd.exe'"

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& "COMPUTERNAME" & "\root\cimv2")

Set colProcess = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = " & strProcessKill )
For Each objProcess in colProcess
    objProcess.Terminate()
Next
WScript.Quit

Change the computer name, Save it as .vbs and put it in scheduled tasks.

 

Please advise if there's a better solution.

 

Thanks

 

Oliver

Ted G.'s picture

This file runs when the client has downloaded virus definitions to process the definitions. Please see the following document for more info:


Title: 'What is the Dwhwizrd.exe file?'
Document ID: 2000042413265148
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000042413265148?Open&seg=ent

 

 

Thought the doc mentions SAV only, this applies to SEP as well.

 

 

ozhu's picture

Is there a fix for the problem of dwhwizrd.exe taking up a lot of ram? (other than just killing it everytime the computer becomes really slow)

I don't see it running on my computer, but it would run constantly on some people's computers and take up more system resources as time goes on until the computer is basically inoperable.

Ted G.'s picture

It is working as designed, therefore there is no fix. However it should only be temporary, maybe 5 minutes or more depending on system resources, not running constantly. If you do not want it to affect the machines while users are using them, set LiveUpdate to run during off hours. However, this will increase your risk of infection since the server will not be getting virus definitions during it's regular 4 hour interval.

Message Edited by Ted G. on 10-14-2008 01:39 PM

Paul Murgatroyd's picture

do you have a large number of files in quarantine?

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Riddhi Talukdar's picture

The Question asked by Paul is verry important to check for this issue. Please check the quarintine folder if you have large number of files there. It has been observed that it sometimes happen due to virus definition corruption. Please have a lokk at the quarintine folder.

Stephen Whitaker's picture

Thanks for the replies, guys.

 

I took a look at the computer in question and saw that there were NO items in the quarantine. At the moment the computer is running very quickly. I did not see DWHWizrd.exe running.

 

A couple weeks ago, I did uninstall SEP and run Cleanwipe.exe to get rid of anything. I also went into Safe Mode and deleted out anything else with Symantec in it. A few directories in Local Settings and such. Plus some very old directories. 7.5???? I think there was some very old Quaratined items still be found from the new versions. That of course get left behind even after an uninstall and a cleanwipe.

 

Reinstalled the newest version of SEP (11.0.3001 MR3).

 

The user says it still does it. I told her when it gets to the point where the computer is unusable, just restart it. That fixes it for now.

 

 

Eric Cheung T's picture

i found that i have a lot of files in quarantine which all start from DWHxxxxx.tmp

after i manully kill the DWHWizard.exe, it will not genrate anymore.

it my pc really have a virus or it is the error of SEP/Symantec AV.

if is the program error, how can i fix it?

many thx...

ozhu's picture

The program would hang when i try to look at the quarantined tab. I assumed that then it would have a lot of quarantined items. I looked under the directory c:\documents and settings\all users\Application Data\Symantec\Symantec Antivirus Corporate Edition\7.5\quarantine\ and the folder had over 80000 files and is taking up 2GB of space. Is this what's causing dwhwizrd to slow down? how would i fix it?

 

Thanks

Riddhi Talukdar's picture

Hi,

 

Yes the large number of qurantine files causes this dwhwizard.exe to go wild as SEP is qurantining lot of files and manily tmp files in Xfertmp folder also. this generally happens due to virus Defininition Corruption.

 

You may want to follow the below mentioned document  for cleaninf up the definitions manually and also can contact support for the Rx4defs utility whcih will do the same job.

 

http://service1.symantec.com/support/ent-security.nsf/docid/2007123111551948

 

 

Stephen Whitaker's picture

That's what I found out also. SEP was requarantining old quarantined items from some old 7.5 directory.

 

Now that sounds like it ISN'T working as intended.

 

SEP 11 is finding old files from old versions, then trying to requaratining them, but then finding that it can't delete them.

 

So lets say there are 200 items from 7.5, then SEP 11.0 finds those 200 and puts it in it's own quarantine. Then next week it finds the same 200 from 7.5 (because it can't get rid of them) and adds it to the already existing 200 in the quarantine again. So now we have 400 in quarantine in SEP 11.0. And THEN next week it does it all again.

 

So you can see how two months down the road its 8 fold how many. And then we have this "definition updating" file that apparently gets soooooo bogged down from its idiot self that keeps quarantining old symantec files, that it brings the whole computer to a halt. And on the same note, when it does this, depending on the file sizes, this can get to be a very large folder size. I had one that was around 9GB. On a 30 GB laptop HD, that's not leaving much for the user.

 

So for Ted G. to say about DWHWizrd.exe, "It is working as designed, therefor there is no fix." is a downright slap in the face coming from a "symantec employee".

 

Find a fix for it "Symantec Employee". I've had to sit around for hours cleaning up 5-6 machines to prevent this from happening.

ozhu's picture

I tried the instructions provided. It did download a new set of virus definitions, but dwhwizrd still runs and takes a lot of ram. Do i have to delete everything in the quarantine folder as well?

 

Thanks

Riddhi Talukdar's picture

Hello,

 

Aplogize for the delay in response. Can you please verify waht folders you have under C:\Documents and Settings\All Users\Application Data\Symantec...?

 

Also please let me know the version of SEP you are using.. 

ozhu's picture

Folders Under c:\Documents and Settings\All Users\Application Data\Symantec

Cached Installs

        ->{76B2BC31-2D96-4170-9C44-09E13B5555F3}

Common Client

        ->Temp

LiveUpdate

        ->Downloads

SavSubEng

        ->About a gazillion folders similar to {76B2BC31-2D96-4170-9C44-09E13B5555F3}

SPBBC

SRTSP

Symantec Antivirus Corporate Edition

       -> 7.5

            ->ARTemp

            ->BadPatts

            ->I2_LDVP.VDB

            ->Logs

            ->Quarantine

            ->xfer             

            ->xfer_tmp

 

The Version of antivirus currently installed on the pc is 11.0.2000.1567

 

Thanks

Riddhi Talukdar's picture

Thank you for your reply...

 

That what I wanted to know if you have both SYmantec Antivirus Corp Edition and Symantec Endpoint Protection Folder there. But you have Symantec Antivirus Corporate Edition and thats goos as far as you have SEP MR2.

 

Please let me know if you have large number of files in quarintine and try to clear the and monitor. also i think you are alredy through with the defs clean up steps as which was sugegsted earlier.

 

 

ozhu's picture

First I tried to refresh the virus definition but that didn't work, so here's what I tried on one of the problem PCs and it seems like it's working.

1. Uninstall SEP11

2. Delete the files+folders under C:\documents and settings\all users\application data\Symantec\Symantec Antivirus Corporate Edition\7.5\Quarantine\

3. Reinstall SEP11

 

I'll keep on monitoring it and if anything's acting up again I will post an update.

 

Thanks

ZeGhostbear's picture

Read somewhere on this forum that DWHWizrd.exe scans quarantines files after every virus definition update, which you are supposed to be able to disable, so that is the process you are observing.

 

That does not explain however why Eric and myself (and possibly ozhu) have the quarantine filled with thousands of tmp files. SEP keeps on blocking these files and sending them to the quarantine as DWHWizrd.exe memory usage keeps on climbing up and up the longer you let it run. When you reboot this behavior stops until something calls up DWHWizrd.exe again and it starts over.

 

I tried to uninstall SEP, but I cannot. Can you provide me with the infamous tool to wipe it clean?

ozhu's picture

Okay, I just went to checkup on the Problem PC again and found that more files and folders are populating in

C:\documents and settings\all users\application data\Symantec\Symantec Antivirus Corporate Edition\7.5\Quarantine\

I'm wonder where does SEP find these things to quarantine and how can we remove it?

ZeGhostbear's picture

It appears to me that SEP itself is creating these files upon updating virus definitions and then identifies them as a risk, which throws it into an infinite loop. Just got off the phone with tech support and MR3 is supposed to take care of this. Keeping my fingers crossed...

Stephen Whitaker's picture

Great to hear that the next MR will fix this issue.

 

Doing what Ozhu said should temporarly this problem. Uninstalling, cleaning out that 7.5 directory, either in Safe Mode or normal mode. I just prefer using Safe mode to make sure I get everything.

 

Then reinstall SEP. I've had to do it to about 5 machines now. Only had one computer that took almost 2 hours for this process, but uninstalling, running Cleanwipe, deleting the 7.5 directory and reinstalling still takes about 30 min at the least.

 

 

 

Riddhi Talukdar's picture

Hello,

 

Yes upgrading to MR3 should solve the issues as after successfull upgrade to MR3 the "Symantec Antivirus Corporate Edition" wuill be renamed to "Symantec Endpoint protection". please clarify if upgrading to MR3 solves the issue. this issue basically occurs on migarted client from SAV 10.x.

Eric Cheung T's picture

My company pc have already update to MR3. However, problem still occur.

MR3 didnt fis this at all.

 

mikewenjing's picture

I am sure that SEP did the wrong job and continued to make rubbish tmp file in the Xfer folder and eat my hard drive every single day.
First of all, SEP scanned my workstation nearly everyday and started DWHW....exe which took memory around 400M, slowed down and made my work impossible. I am sure my computer is free from Virus because I never browse the internet and all I did is working to meet my working schedule. And I was a computer gay for about 8 years and I knew what I did and how the system works. I do not have any items in my station, which your SEP reported is this or that kind of risks, it is ridiculous!
Could you give me a good solution so that I can help the tech person here to solve the problem? I am really feeling upset and frustrated because I could not not find the solutions in your official website for this problem. Is this the way your Symantec is treating your customers?
Thanks for your reply!
 

Neven Georgiev's picture

We have the some problem with workstations and SAV 10.0 installed
I also want to add that this occures on machines we have installed the software from HP for their multifunctional device HP ML1522
I am not sure that there is some kind of conflict between both SAV and HP driver but the HDD overloaded activity happens on these machines.
Is there any new fix about the problem?

Thanks