The agent is using a large amount of CPU, is there anything I should check?

Article ID: 304
Category: Configuration
Applies to: All Versions
Updated: 2023-02-01

Please ensure that you do not have Registry Auditing enabled for the following registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\netikus.net\EventSentry\bootscan
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\netikus.net\EventSentry\bootscan

Usually registry auditing becomes enabled for this path due to auditing the EventSentry registry path or auditing the Software path, and these settings are inherited by the bootscan path. The bootscan path contains many numeric checkpoints which are updated every second, and this causes an endless processing loop (the agent reads the event log, updates the numeric checkpoint, an event is generated because the registry was modified, the agent reads the new event, the agent updates the numeric checkpoint...) and causes high CPU.

To disable registry auditing for the bootscan path, right-click bootscan and choose Permissions, and click Advanced. Go to the Auditing tab and un-check "Include inheritable auditing permissions" and click Remove when prompted about the existing bootscan audit settings. It may take a few minutes for the processing loop to end, at which point the agent CPU will return to their normal range.

What is the normal CPU for the EventSentry agent?
The agent normally uses 1-3% CPU. If you observe values larger than this, and the resource usage does not return to the normal range after 5-10 minutes, please open Task Manager and right-click eventsentry_svc_x64.exe and choose Create Dump File, wait 30 seconds, then right-click the exe and create a second dump file. Contact our support department (link below) for information about uploading your dump files for analysis.




Try EventSentry on-premise

FREE 30-day evaluation

Download Now