To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Software Updater has an infinite loop resulting in high CPU usage in the WMI service

Options
WKroos
WKroos W/ Alumni Posts: 5 Security Scout

The Windows Management Instrumentation service and WMI Provider Host process are using 16% - 30% of my CPU every day for multiple hours. This slows down other applications significantly on my work laptop.

I can see in the Event Viewer in the events list named "WMI-Activity" that thousands of errors per second are being reported. Those are all caused by ClientProcessId=3464 which leads to the process id of the fssua.exe executable (F-Secure Software Updater). Because all those errors in the Event Viewer contain the following information in the Event Viewer's "General" tab:

Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = LAPTOP-WK; User = NT AUTHORITY\SYSTEM; ClientProcessId = 3464; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM meta_class WHERE __class = '__NAMESPACE'; ResultCode = 0x80041032; PossibleCause = Unknown

The fssua.exe executable is in an infinite loop while retrying to execute that query to the WMI service.

Can you fix the Software Updater so that it stops infinitely retrying to retrieve information from the WMI service when it gets an error?

Answers

  • MikaArasola
    MikaArasola W/ Partner, W/ Staff, W/ Product Leadership Posts: 72 W/ Staff
    Options

    I notified developers about this, but since it does not seem like a wide spread problem I would recommend creating a support ticket (that way they can ask for diagnostics if needed).

  • MikaArasola
    MikaArasola W/ Partner, W/ Staff, W/ Product Leadership Posts: 72 W/ Staff
    Options

    Just an update here. Developers were able to reproduce the WMI errors, but not the fact that it's looping endlessly. The assumption is that we'll be able to fix the errors, but it's possible that the looping is somehow related to configurations so it would be good to be able to have a look at them (for example through a support ticket or then send me some details like company and computer name with a private message).

  • WKroos
    WKroos W/ Alumni Posts: 5 Security Scout
    edited August 2022
    Options

    @MikaArasola It's good to hear that the errors are solvable.

    I don't know how I can send you a PM or I don't have the rights to send you a PM. But I filed a support ticket (ticket number #) yesterday that also contains my account id and a link to this forum post.

  • MikaArasola
    MikaArasola W/ Partner, W/ Staff, W/ Product Leadership Posts: 72 W/ Staff
    Options

    Thanks, I have somebody in support looking into it, I believe they still need a diagnostics file from the client to dig into the root cause. I will add further comments there.

  • WKroos
    WKroos W/ Alumni Posts: 5 Security Scout
    Options

    "...but it's possible that the looping is somehow related to configurations so it would be good to be able to have a look at them"

    I think it's not looping endlessly anymore, it felt endless because sometimes it would take hours to finish.

    The default WMI-Activity log saves only the last ~100 errors. I've now created a custom view in the EventLog that saves all the WMI-Activity errors for 7 days.


    "...Just an update here. Developers were able to reproduce the WMI errors, but not the fact that it's looping endlessly. The assumption is that we'll be able to fix the errors..."

    @MikaArasola Can you give an indication of when these errors will be fixed or notify me when they are fixed? Then I can check the WMI-Activity event log for errors and compare the duration of the scans before and after the fix to see if that was the problem.

  • WKroos
    WKroos W/ Alumni Posts: 5 Security Scout
    Options

    @MikaArasola I was able to retain all the events in the WMI-Acitivity log and gather some statistics for the Software Updater scan that ran today:

    • The scan took 12 minutes
    • Amount of events logged in the WMI-Activity log: 49.847 (Levels: 49.842 Error / 5 Information)
    • Average CPU-usage: 26%
    • Highest average Single CPU core usage: 95%
    • Average Laptop/CPU temperature: 97°C (Caused the laptop fans to run at 100% speed)


  • MikaArasola
    MikaArasola W/ Partner, W/ Staff, W/ Product Leadership Posts: 72 W/ Staff
    Options

    The reason for the errors is still being investigated. An important notice is that it's not certain that the load is caused by the errors, scanning of missing updates is fairly resource heavy on it's own as well. In the admin console there is an option to run the scan with background priority which can reduce the visible effect (though then it will take a bit longer).

    Sorry this has taken so long, some of the developers looking into it have been on sick leave slowing things down.

  • WKroos
    WKroos W/ Alumni Posts: 5 Security Scout
    Options

    Our system administrator has changed the option to background priority. It's a lot less demanding now with an average of 30% Single CPU core usage instead of 95%. Strangely the scan still takes the same amount of time.

    No problem, things like that can happen.

This discussion has been closed.