Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

High CPU usage

Created: 26 May 2010 • Updated: 29 Jul 2010 | 23 comments

Hi,

another thing noticed since the upgrade from 2.1 to 6.1.5126. Sometimes after a fresh start, the cpu seems to be busy with nothing. Using Process Explorer i saw it was part of the system process, but i cannot find a trigger or reproduce it, it sometimes is & sometimes isn't.
See the attached pic for process info.

Comments 23 CommentsJump to latest comment

Jordan's picture

are there any layers active? (i.e. flagged to activate at system startup)?

If a forum post solves your problem please flag is as the solution

Peter van Esch's picture

Nope, we've had problems with layer activation on startup with extreme slow startups and eversince never used it, it's even being disabled at logoff for all layers to be sure it never happens.

Noticed that after a period, something like one hour, it disappears.

Extra info which may be relevant:
XP Sp3
McAfee Virusscan Enterprise 8.5i sp8 with EPO agent 4.5.0.1429
Novell Zen agent 7.0.1.4
Novell Client 4.91 SP5

Jordan's picture

If no layers are active then it's most likely  not SWV causing your problem.  We literally don't do anything unless layers are active on the system.

My guess would be that it's your AV or another software that runs a scan causing the problem.

If a forum post solves your problem please flag is as the solution

Peter van Esch's picture

They are not autostarting through swv, but through our own management software, zen in this case. It starts the groupwise layer after the user is logged in, so there is always a layer active at login. I tried deactivating all layers when the problem manifested, but that didn't stop the cpu usage.
I tried uninstalling all our management software & virusscanner, but the problem still occurs.
I saw the SP4 release, will try that one.
 

erikw's picture

I oftne implemented SWV with zen, and virtualizing the zen software in SWV is a bad idea. the Zen software needs to be available during boottime already. If not all software is available, then you get the unexpected interrup error.

What you can do is:

Install Zen in the base instead of in a layer.
Sorry, but that is probably the only way to solve this

Regards Erik www.DinamiQs.com Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)

*************************************************************
If your issue has been solved, Please mark it as solved
***********

Peter van Esch's picture

Zen is part of our base image, so that isn't the problem. We've just implemented the 6.1 sp4 agent, maybe that'll solve it. I'll keep you posted

Lofuchi's picture

I also experienced the same problem.   If I don't activate any layer, then the CPU usage is normal all the time.   However, if I have one or more layers active, very often, after leaving my machine on for a period of time, the CPU usage reaches 100%.  Then I am forced to cold boot my machine. 

I have reinstalled SWV on a clean windows 7 (32bits) machine and still experience the same issue.   I am currently using SWV version 6.1.5104.

Not sure if the following software causes any conflict with SWV, but I have been using these on my system as well.
- Sandboxie 3.46
- Avast Antivirus 5.0.594
- Comodo firewall

Jordan's picture

I bet it's your firewall.  Add comodo to SWV's program ignore list and see what happens (this is covered in the user guide).

If a forum post solves your problem please flag is as the solution

Peter van Esch's picture

After checking through procmon what the system process was so busy doing, I found it was trying to do something with the subkeys below HKLM\Software\Novell\NetwareWorkstation\ServerCache\, where, as the name implies, entries are created for the novell client name cache. It looks like there is some kind of conflict with the fslx driver. If I delete the whole key through regedit, the cpu hog disappears. I will also post this info on the novell forums, maybe it's a novell client defect.
Luckily it's configurable and now disabled.

Nirmal R's picture

Wondering if adding Novell process to SWV ignore list will have any positive effect. Not absolutely sure, just a thought.

Peter van Esch's picture

Don't know if .sys & .dll's can be added to the ignore list, would also be nice if I could add a regkey to an exclude

Jordan's picture

Peter if you could contact support to file an issue so we can track and look into why the Novell client is doing this it would be great.

If a forum post solves your problem please flag is as the solution

Peter van Esch's picture

Jordan, I will contact support, but is it possible to exclude regkeys? I saw this entry in the fslx regsettings: PathIgnoreList
It contains 2 entries with file and reg paths, but I can't find any documentation or syntax description.

Jordan's picture

 PathIgnoreList is a super exclude and only works with the filesystem.  We don't doc it because we don't want people removing what we allready have there and they're a little complicated to set up.

If a forum post solves your problem please flag is as the solution

cwitter's picture

We're too experiencing the high CPU usage. We're using Win 7 and the newest build of SVS 6.2 something.  I've found that having no layers activated on the computer solves the issue. We've also been able to have the CPU usage go down immediately if we deactivate a layer when this is happening (it obviously takes a really long time to get a cmd prompt running as an admin, etc). Like the previous post states it seems to happen most often when the computer has set idle for a period of time. We currently have a ticket open with support but really arent getting anywhere (its been open for a month).  It doesnt seem to matter what layer is on the box (an old one or one that I create from scratch) either. Any suggestions would be helpful.

Thanks

Jordan's picture

Are you on a domain?

Does the CPU spike happen when an empty layer is active?

If a forum post solves your problem please flag is as the solution

Palvaran's picture

That sounds EXACTLY like what we are experiencing here.  We are running Windows 7 with the latest SWV 6.1 SP4 and have computers exhibiting similar behavior.  We are also running Deepfreeze 7 and have removed Trend Officescan due to the conflict of it with SWV.

Systems Administrator
Rice University

Remember, "The happiness of your life, depends on the quality of your thoughts."

Palvaran's picture

I.e In the Device Manager, go to the Power Management Tab of the NIC properties page and see if "Allow the computer to turn off this device to save power" is checked.  If it is, try unchecking it and seeing what happens after a couple of hours.  So far, our results seem to indicate that our network cards are going into a power saving mode and when the Altiris Agents or Deepfreeze agent is trying to check in to the main servers, they are not waking up the system and subsequently maxing out the processor.  We verified our results based on a  ping to the boxes and noticed that the first initial packet would take nearly a second to return a result while the other pings are <1ms.  Can you please try and see if this works for you so that we can confirm with someone else?

Systems Administrator
Rice University

Remember, "The happiness of your life, depends on the quality of your thoughts."

snruebes's picture

Hi all,

the behaviour cwitter describes is exactly the same I'm currently experience on my machine: I'm using SWV 6.2.1548 on Win 7 32Bit Enterprise English and see high CPU utilization of the System process after 30 mins - 2 hours of usage after reboot depending on the actions I perform on the machine. (It can be that I need to open at least one layered app first as some kind of precondition - but haven't proofed this hypo yet)

Update (09/03/2010): It is not necessary to launch a layered app as precondition to get the High CPU utilization of the System process

Once the System process starts to consume a lot of CPU time 25 - 50 percent it will not go down anymore as long as I do not restart my machine. I have 15 layers imported and set to "Activate on System Startup". The only other action that helps is to deactivate all activated layers - then the CPU consumption of the System process returns immediately to normal (0 - 1 %). I also run Process Monitor and it showed me that the System process is permanently enumerating the same registry key as soon as the high CPU utilization starts:

I already tried to delete the key:

HKEY_CLASSES_ROOT\LR.LexRefBilingualService.1.0  

but then the SYSTEM process jumps the next time to the next key in this row

HKEY_CLASSES_ROOT\LR.LexRefBilingualService.1.0.1

And I have 22 reg key with "HKEY_CLASSES_ROOT\LR.*"

I don't know to which program these keys belong but I suspect MS Office 2010, which I installed natively (not as layer).

I also tried the newer version 6.2.1575, which did not help.

The workaround to disable Power management of the NIC's, Palvaran described earlier doesn't work for me. 

So it looks like we have a severe issue here, because so many people are struggling with the same phenomenon and it would be really nice if the SWV dev team would make it to a high priority issue they need to fix asap.

Maybe I should also mention, that I do not have

- Zen
- Sandboxie 3.46
- Avast Antivirus 5.0.594
- Comodo firewall
- Trendmicro OfficeScan or
- Sophos AV

product installed - I only use SEP 11.
So the root cause can't be an interference to only one of these third party apps - it must be a more general bug in the SWV client.

Thanks,
Sebastian

Update (09/04/2010): I also jumped back to our production version 6.1.5126 which also did not help - this means that at least three official releases (6.1.5126, 6.2.1548 and 6.2.1575) are affected. I "solved" the annoying problem on my machine "finally" by using the latest beta build 6.3.1094 32 Bit which is working now since one day without any new System process CPU utilization spike - it is so nice to get a always responsive system back ;-) - but this workaround is of course not a recommendable solution for an enterprise.

Update (09/06/2010): I can not recommend to use the latest beta build 6.3.1094 to workaround the issue, because I have massive problems with my printers now - 80 percent of my already installed printer objects disappeared or do not work properly anymore - I could delete them but cannot reinstall them anymore. If I try to do this, I get the following error message:

[Main Instruction]
Unable to install printer. Operation could not be completed (error 0x000003fa).
[OK][Window Title]
Add Printer

The root cause is again the SWV, because the printer installation works fine if I rename the filter driver fslx.sys under C:\Windows\System32\drivers and restart the machine to disable the client.

This is really annoying because each attempt to get rid of one bug creates another major issue.

Besides I realized, that Symantec changed the registry path/keys which defines the global excludes (directories and extensions) in the new beta build. In the past (all 6.1 and 6.2 Builds) they were defined by different DWord values under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FSLX\Parameters\FSL\Exclude

Now in the 6.3 Beta Build they are all in one Multi-String value called "ExcludePaths" direct under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FSLX\Parameters\FSL

In consequence I had a more or less empty global exclude list after my upgrade from 6.1.5125 to 6.3.1094 which only contained the default entries. All my customized global exclude entries were not automatically migrated to the new registry key!

I don't understand why the dev team changed this because it will probably cause major migration issues!!!

 
Update (09/12/2010): Since I'm using version 6.2.1562 it seems that a good trigger to cause the issue is the resume of my system from standby/sleep. If I wake up the machine from hibernation, the CPU utilization of the System process keeps normal. I'm using now the small Trinket utility do deactivate/reactivate all autostart layers as workaround, if the CPU spikes of the System process reappear to avoid a complete restart. Unfortunately version 6.2.1562 has issues with captured services so that I cannot use the Lotus Notes SSO feature of my Notes client anymore. I hope Symantec will release a new version, which fixes both issues very soon.
 
SilentCastle's picture

For us, the problem was OfficeScan.  Trend has an article that allows you to make a change, which helps, a little:

http://esupport.trendmicro.com/pages/High-CPU-usage-occurs-on-a-Windows-computer-with-Altiris-Software-Virtualization-Agent-after-installing-WFBS-or-OfficeScan.aspx

I took it a step furher and exluded all of the SWV folders and files from the Real Time Active Scan on the Trend Console and this fixed all my issues. 

erikw's picture

I just experienced this problem were it was caused by Sophos.
The solution was to register the antivirus with a local system account and mark the button act as local desktop service rather then use the localservice account.
Give it a try.
It might help

Regards Erik www.DinamiQs.com Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)

*************************************************************
If your issue has been solved, Please mark it as solved
***********

Jason Gallas's picture

I have an issue when I have a "network aware" application virtualized and I walk away and come back the system is locked up.  In this case it was the IE 6 beta v3 package.  It was active on my system and I was away for about 30 minutes.  When I came back I could barely get the task manager open to see the high SYSTEM CPU utilization.  After about 5 minutes of trying I was able to open the SWV admin console to disable the IE package.

There were no instances of IE6 running on the system at the time but the package was active.  This happened before with another "network aware" app that ran off of a mapped network drive.  I noticed after I disabled the app the system worked fine.

I am running the following:

SWV 6.1.5114
SEP 11.0.6005.562 (Just Antivirus and Antispyware, managed)

I also have the following on the programignorelist for SWV:

[_B_]PROGRAMFILES[_E_]\Symantec\Symantec Endpoint Protection\rtvscan.exe
[_B_]PROGRAMFILES[_E_]\Symantec\Symantec Endpoint Protection\Smc.exe
[_B_]PROGRAMFILES[_E_]\Symantec\Symantec Endpoint Protection\SmcGui.exe
 

m_matukin@compfort.pl's picture

Hi

I have the similar problem with 100% CPU used when activate layer.

When I deliver this layer by the Altiris NS then work fine, when I deactivate and activate again layer then 100%CPU and system stop.

When I deactivate layer then all work ok no 100% CPU and system run normaly.

When layer start after delivery then all work ok ( agent work on local account  ) activation is on user.

On different layer all work ok.

Regards,

Michał Matukin